A Firebase Android app with client/app authentication instead of user authentication

Question

My app has no individual users, instead it has some data that is generated by clients and can be seen by others, like public chat channel, usernames are also temporary.

I do not need every user account data to be authenticated. Instead only that if request is from my app, it should be served otherwise not. I see there is user authentication, but it means I have to keep the track of uids etc which also adds to data storage, other option is if I remove auth (set read/write public) and call data changes from my app.

Can I use app secret feature that is used by servers in my android app, if so how? This is rule for a server:

{
  "rules": {
    ".read": true,
    ".write": "auth.uid = 'myserver'"
  }
}

How can I make it work for my android app?

How my app is insecure without authentication (setting read/write public) , when only I know the url and only my package is configured from android app option on the server?

Is there any method other than user authentication that I can use which guarantees data security ?

Answer 1

I know it's been a few years since you asked this, but I wanted to let you know that this is now finally possible.

Thanks to a new feature called Firebase App Check, it is now actually possible to limit calls to your Realtime Database to only requests coming from iOS, Android and Web apps that are registered in your Firebase project.

You'll typically want to combine this with the user authentication based security offered by security rules, so that users can only do what they're authorized to do. But in your case, just App Check might be/have been enough.