Reputation: 3042
Manually generate single auth-token for use in constant, to authenticate app to access database - Good or bad?
I'm creating a very simple licensing system for my Android application using Firebase.
The relevant part of the system works - a bit simplified - like this; I'm generating a unique key, storing it in the database and sending that key to the user who bought the application. The user activates the key in the app, which writes the device-ID and some other data to that license key.
However, anyone with a little bit of knowledge would pretty easily get into the database and modify the data, to make any license valid on their device instead!
Now to my (very) scientific research observations (yay!) - I've read about the Firebase token generator. It looked very promising at first, though the docs says I shouldn't include it (or my Firebase-secret) directly in the application code, which makes it a bad solution.
However, I then got the idea to manually generate one single auth-token, with a specific 'uid', and store it as a constant in the application code, and then authenticate with that token every the app needs access to my database (in other words, I would not include my Firebase secret in the application code).
I would then determine if a client should be granted access to the database by using Firebase rules, to check if the client is authenticated, and if it has the correct 'uid'.
Now my question is; is it bad practice to build the system like this, or may I turn this idea into reality?
Upvotes: 3
Views: 1053
Answers (1)
Reputation: 25134
If you store this token in your application it will be trivial for someone to decompile your APK and get the token, therefore enabling them to make requests to your database that you have not authorized.
If you just want to make sure that only registered clients are authorized to access the database, consider using Firebase Anonymous Authentication which will allow you to generate unique session tokens for each device.
If that's not flexible enough for you, you could generate tokens on your own server and use Firebase Custom Authentication to authenticate. This gives you full control over the contents of each token without hard-coding a token or secret in your APK.
Upvotes: 2
Related Questions
- How to securely store access token and secret in Android?
- Firebase Auth ID token has incorrect "aud" claim
- Can not generate a debug token for Firebase Storage with App Check
- Ship an application with a database
- Using Firebase push notification token for authentication - good or bad?
- Firebase service account to generate authentication token for client-side use with Google Apps Script
- How can i get a Oauth 2.0 access token for firebase in my Spring app
- Can I use the Firebase ID token from a client login to authenticate a Java desktop app using the Java SDK?
- Is it still possible to do server side verification of tokens in Firebase 3?
- How to use app secret with REST protocol to access firebase realtime database