How well protected is Firebase?

Question

I am curious if an user is able to write any data to the key they have writing permissions to. Ofcourse, normally this is done by authentication by the app they are using. But how well is it protected? If I am connected to my wifi I could use tamper data to change the network activities being send.

As stated here: Does firebase encrypt data with a unique key per account? It says that the data is encrypted before writing to the database. This however does not include changing the value's of the keys when the keys are not "arrived" at Firebase.

Is it possible to change the value's from monitoring the network activities, like tamper data?

Also, let's say these are some rules:

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

Is there any way a user could authenticate himself in any other way than using my app? How easy can a authenticated user change value's directly in the database, if he got write rules?

Thank you

Answer 1

In your provided rules, a user would be able to write arbitrary data to the node corresponding to their own uid, which can only be obtained via signing in with a form of Firebase Authentication (including minting a custom token server-side using the Firebase Admin SDKs).

100% of Firebase Realtime Database traffic is sent over TLS-encrypted connections. There is no way to man-in-the-middle this traffic and change it in flight.

You can trust Firebase Database Security Rules to do their job, but it is up to you to write robust rules that adequately protect data for your given application use cases. I'd recommend making use of .validate rules for structure and fine-grained .write rules everywhere. Another important tip to remember is that authorization is hierarchical. Once a .write rule is matched by a client all children of that node can be written by that client.