Reputation:
Can someone access my Firestore database by somehow manipulating client app?
I am really concerned about the security of my data which I would be storing in Firestore, I want to know If someone somehow can extract google-services.json file from my android app or use some other tools to access my Firestore database. Is it possible If yes how can I prevent it?
Upvotes: 3
Views: 2692
Answers (2)
Reputation: 317497
If your app uses Firebase services and makes use of google-services.json, then yes, anyone can extract that data.
The issue for app developers isn't how to lock down that data (impossible), the issue is how to protect database and storage data to only those users who should be able to access it. The only solution for this is to use Firebase Authentication to verify the identity of people accessing your app, and use security rules to determine who should be able to read and write data.
There are currently no alternatives to this. If you don't require users to sign in using Firebase Auth, and your security rules allow universal access to data, then anyone on the internet who knows the name of your project will be able to access that data. Again, there are no exceptions to this. If your data is readable and writable to the world, then you will need to accept the potential billing consequences for this.
Again, learn about security rules for the products you use: Realtime Database, Firestore, and Cloud Storage.
If security rules are not feasible for your requirements, then you will need to set up a backend service that you securely control, and route all client access through that backend. You will want to make clients pass a Firebase Authentication token to your endpoint so it can validate access using the Firebase Admin SDK.
Upvotes: 7
Reputation: 40612
You should setup Cloud Firestore Security Rules to limit access to the data. Here is an example:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
Take a look at Get started with Cloud Firestore Security Rules for more details.
Upvotes: 2
Related Questions
- How users can only see their own data in Cloud Firestore?
- How secure firestore query is? can data be sniffed or hacked?
- Can firestore data be examined at client by app users?
- Can somebody get Firebase credentials from my apk and use them?
- Could a malicious user be able to modify Firestore form front end functions?
- Can firestore reads be implemented in the client side with no worries?
- Firestore Hacker Case Study
- How secure is Firestore if you let anyone read the data, but not write
- can I give a web client access to the database?
- Is it secure to call firestore from flutter mobile apps?