Reputation: 11060
Disable access to Firestore from outside the app
I have a (private, i.e. for myself and a couple other people) Flutter app and it is supposed to run on iOS and Android. It is using Firestore behind the scenes for data sharing, and Firebase Authentication with Google Sign In as its sole provider. These are the details of the setup:
- Access rules only allow access for authenticated users, i.e. any user that my Firebase project knows of.
- To prevent other people from using my keys, I restricted them for their respective app types, i.e. iOS key only for a given iOS bundle id, Android key only for the specified package name and my (debug) key SHA1.
Question: does this guarantee that people that know my project id and db URL etc. can't simply read and write the data without my app? The source is on GitHub and GoogleService-Info.plist and google-services.json are committed as well. (I did some research and it appears this information is not secret as it is available in the APK and IPA anyway.)
My assumptions, please correct my whenever I'm wrong:
- Although the database can be accessed using, say, Postman, with my security rule they would have to authenticate with a valid user my Firebase project knows.
- To add users to my Firebase user database from outside of my app, someone would have to use my project information and use the API keys. If they managed to do this, they could simply login with Google to their account, which would create a new user in my projects, and use the app.
- In my case, this means they would need to create an iOS or an Android app as the keys are 'scoped', i.e. they are only allowed for a certain app type (iOS and Android here). They can't use the API keys in a webapp. (Is this really true, is there any information in the keys to prevent, say, an Android key from being used for an iOS app or vice versa?)
- This is impossible for Android as I restricted the key - the attacker would have to create an Android app with the same package name as mine (allowed) but would also have to sign it with the private key only I have.
- I'm not so sure about iOS. I also restricted the key by specifying my bundle id, and it has to be globally unique when building for a device, but to be honest I don't know if it also needs to be unique for the simulator. If not, this would mean that someone could create an app with my bundle id, run on their simulator, login with their Google account and have access to the data from now on.
Could someone confirm that this works they way I assume it does? And clarify the keys doubt in #3 and iOS doubt in #5?
Upvotes: 1
Views: 267
Answers (1)
Reputation: 150
If you still need help you can reach out to Firebase's free support here: https://firebase.google.com/support/troubleshooter/contact
Upvotes: 1
Related Questions
- Issue in authentication in firebase cloud firestore at user level
- How to block Google Firestore access from the Google Firestore api
- Protecting Firestore without requiring authentication
- How to block firestore REST API access
- Access Firestore Database without authentication
- Restrict firestore access to admin-sdk
- Using Firebase Cloud Firestore with custom Authentication Security (without Firebase Authentication)
- Restrict Firestore access to authenticated users
- How to allow only authenticated users to insert to Cloud Firestore database
- Restricting access to Firebase Firestore and Storage