Why should we use Firebase security rules?

Question

Firebase is undoubtedly the best backend system (at least according to me) when it comes to the smoothness of development. But as far as I have read in several articles, the stored data may be exposed if the security rules are not written properly. But Firebase projects are directly connected with our apps (using package name and SHA1 fingerprint, though optional) Now the question arises, if my Firebase project is bound with my app, why should I even care about security rules? How can my project be accessed from elsewhere?

Answer 1

For the longest time of its existence Firebase projects were actually not tied to your specific app, or at least not for the services where it supports security rules (Firestore, Realtime Database, and Cloud Storage). So anyone with the configuration data could make calls to your project using the API, and security rules were the only way to protect the data from malicious users.

At I/O 2021, Firebase introduced App Check, which for the first time adds an app-level check to three products: Realtime Database, Cloud Functions and Cloud Storage. App Check works with the attestation providers of each supported platform (such as SafetyNet on Android) to only accept requests that are coming from your app, and rejecting others.

While this provides a broad level of protection, it is still possible that a malicious user breaks the mechanism. So I will still implement security rules in my Firebase projects, and thus combine the broad protection that App Check offers, with fine-grained access control from within the security rules.