Can 'timestamp' value of Firebase be tampered in client code easily?

Question

I want to know if that server field, which gets put from the server with an instruction like this:

         result.put("timestamp", ServerValue.TIMESTAMP);

Can be tampered easily or not, I mean, I just don't see with only that, that a malicious user could capture TPC/IP traffic, and change that ServerValue.TIMESTAMP to any value he desires.

I guess Firebase has some built-in mechanism that rejects the packet if that is changed in some way, I guess something like a certificate or whatever for a case like this one.

But I'd like to know for sure, I want to know if there's some mechanism to avoid that, that makes faking the mentioned value harder than just capturing tcp/ip traffic on the fly and changing it.

Answer 1

The ServerValue.TIMESTAMP is a sentinel value that is sent to the Firebase servers as a special map. The server recognizes this sentinel, and expands it to the correct date/time. Since this expansion happens on Google's servers, there is no way for a malicious user to change it.

A malicious user might intercept the request and set a hard-coded date/time, instead of the sentinel value. If you want to prevent that, you can do so in the security rules of your database by checking that the property/field is set to the current server time.

How to do this depends on the database you use.

For the Realtime Database:

".validate": "data.val() === now"

For Cloud Firestore:

allow create: if request.resource.data.timestamp == request.time;