Is it secure to call firestore from flutter mobile apps?

Question

I am new to Flutter's framework. I am coding a mobile application that connects to the Firestore. I would like to ask how secure it is to simply code Firestore/Firebase database logic into our Flutter application. Any possibilities that the user can alter the logic in the mobile app build itself and take control of what's being sent to the Firestore/Firebase? Also, is it sufficient to protect my database with just Firestore/Firebase's DB rules?

Answer 1

I have been searching for a security solution using cloud_firestore, but it seems there is no way to send authentication data with a query. firebase_auth will authenticate a user, and cloud_firebase can query, but the two have no interoperabiliity.

The only 'solution' I have seen is to make the whole database writeable.

Answer 2

It's standard practice to write database queries directly into the app. That's exactly what you're supposed to do with the Firebase SDKs on all mobile app platforms.

You should also assume that any code you ship to end users might be reverse engineered and compromised in some way. It's not common, but it's very possible.

What you'll need to do is use Firebase Authentication along with Firestore security rules to protect your data at the server, so that users can only do what you say they can do. You will need to design rules that implement exactly what you want to protect.

It's impossible to say for certain if security rules are sufficient for your use case, since you haven't stated exactly what your requirements are. If they are not sufficient, you will have to offload some work to a backend you control, and it will have to check for whatever you want to allow.