How do I configure iOS app (Swift) to use Database Secrets to access the database?

Question

I'm building an iOS app and using Firebase database for the backend. The app doesn't have any users. Any user that downloads the app should have access to the Firebase backend (some functions require that I access backend for reading and writing). However, I don't want to make this firebase public. Currently, the way I've setup Firebase security rules is as follows:

{
  "rules": {
    ".read": "auth == null",
    ".write": "auth == null"
  }
}

Obviously, this presents security problems! Again, I don't have any "users" to create auth uid to make this a more secure database.

What I want is this:

• Users that downloaded the iOS app have access to the backend. Anyone can essentially "read" or "write" on the backend.
• No one else can have access to the database.

Is there a way to do this? I know that in the non-iOS environment simply using Database Secrets will do, but how can I do this for the iOS app?

Answer 1

You can't!

Okay, you're probably looking for a more thorough explanation than this:

1. We don't provide any solution that allows you to ship with database secrets on the client because, frankly, it would be fairly trivial for a bad actor to extract those values from the client.

2. Additionally, it's a pretty bad security hole to say "Well, let's only allow iOS clients to access any part of my data", as it's fairly easy for somebody to mess with their client and make it do things you didn't intend for it to do. (Or create their own client and make it look like a valid iOS device to you, and then have it do all sorts of bad stuff on the database side.)

As a general rule, you want to implement security rules as if any client request coming in might be untrustworthy. That probably means adding in more complicated security rules than you originally intended, but you'll be better off in the long run.