CODEWITHSUNDEEP
androidfirebase-realtime-database
yesbutmaybeno
yesbutmaybeno

Reputation: 1148

How to secure things, such as Firebase Database calls in your APK?

Since APKs can be decompiled, changed, and recompiled, what is preventing a user from decompiling an example APK with code such as:

onClick() {
    // Add a new "room" to the /rooms/ node
    val dbRef = FirebaseDatabase.getInstance().getReference("/rooms").push()
}

And changing it to:

onClick() {
    // Add a new "room" to the /rooms/ node
    for (x in 1..10000)
        val dbRef = FirebaseDatabase.getInstance().getReference("/rooms").push()
}

Recompile, and well, wreak some havoc? The decompiled APK will still have access to the google-services json file. I assume there must be some way to prevent this type of behavior.

Upvotes: 1

Views: 72

Answers (2)

Tareq Joy
Tareq Joy

Reputation: 362

You can generate Signed Apk with obfuscation enabled with release build. Obfuscation modifies your code in such a way that reverse-engineering becomes quite impossible to understand. It will also shrink and optimize your code which will reduce your app size. In android, it's too easy to use obfuscation. Like this, in your app-level gradle file:

android {
    buildTypes {
        release {
            // Enables code shrinking, obfuscation, and optimization for only
            // your project's release build type.
            minifyEnabled true

            // Includes the default ProGuard rules files that are packaged with
            // the Android Gradle plugin.
            proguardFiles getDefaultProguardFile(
                    'proguard-android-optimize.txt'),
                    'proguard-rules.pro'
        }
    }
    ...
}

You may need to skip some files or classes or methods etc. to obfuscate. The 'proguard-rules.pro' file will help you to do so. For more you can see this documentation: https://developer.android.com/studio/build/shrink-code

Upvotes: 0

Doug Stevenson
Doug Stevenson

Reputation: 317362

There is nothing stopping someone from doing this.

What you're supposed to do is either:

  • Implement security rules that check on the backend which operations the user is supposed to actually be able to do from the client.
  • Implement a backend endpoint to be invoked by the client that checks to see if the user should be able to perform the operation, then performs it.

In both cases, you should be using Firebase Auth to authenticate the user, so that your backend code or rules can authorize each specific action they take.

Upvotes: 1

Related Questions