Limit user access on IoT project while interacting with Google Cloud IoT Core

Question

So, I'm developing an automated illumination system for commercial purposes, and I intend to use Google Cloud IoT Core for managing device communications.

Users will use an app on their smartphones to manage their lights at their homes. On the app they'll create an account and register those lights. Then they'll be able to control their brightness, etc.

My question is: How do I structure my project on Google Cloud IoT to limit user access to their own devices, in case someone maliciously modifies my smartphone application (worst case example)?

On Google Cloud IoT we have following structure:

Project > registry > device

Since the registry amount is limited to 100, it's not a viable solution to create 1 registry per user.

I thought about using the backend of the application as a middleware between the Google Cloud and the app, but using that would kinda double the data traffic, essentially doubling the costs of maintaining the project, and the backend would have to be much more robust to handle the traffic:

This would be the backend acting as a middleware:

User > App > Backend > Google Cloud IoT > Backend > App

This would be the structure I would like, but I don't know if it's possible:

User > App > Google Cloud IoT > App

Is there any way to do this?

Answer 1

It's simply an account management. Your users log in, you retrieve the account and the list of devices linked to it and then, the users can interact with them. Like that, you can have several users that can interact with the devices of the same account.

You can store the authorized data list (the users' devices) in database, on Firestore for example. And use Cloud Identity Platform to authenticate the users (it's very similar to Firebase Auth, if you use a mobile App it will be easier for you)