Reputation: 2148
Firebase database secure without firebase auth
I have an app published on the play store, I want to implement firebase in the app.
I have read all the documentation and I have two doubts:
If someone use apk decompiler with my app and get the googleservices.json, they can do whatever they want with the database?
It is possible that my database is secure without having the user logged-in?
I would appreciate any help
Upvotes: 2
Views: 1539
Answers (1)
Reputation: 44813
The fact that someone can read your googleservices.json doesn't involve security holes. If you configured your Firebase project correctly, you will notice that in the "Project Settings" panel there is a SHA-1 signature to add. If you add the signature of your debug/production keystore, only apps with the specific signature con use the data of googleservices.json to communicate with your Firebase platform. (If you decide to not provide a SHA-1, Google will use something else as identification mechanism as described here)
This question is not very clear. Your database is safe everytime. If your user is not logged in, probably he will not able to communicate with the database. Remember that a user should only be able to see it's own data, so if your app logic is correct a logged user shouldn't be able to see other peoples sensitive data. Moreover remember to not change the database/storage connection rules in the "Rules" panel like in the image below to prevent unauthorized operations:
Upvotes: 3
Related Questions
- authentication with firebase Realtime Database without user
- Firebase data for all users without authorizing
- Firebase security when not using Authentication
- firebase with auth and without auth security rules
- Firebase - Prevent user authentication
- Firebase database authentication
- Firebase Anonymous user
- Android Firebase - storing data without authentication
- Firebase Auth and Database Encryption
- Firebase database authentication with email & password