Firebase Realtime Database - Rules with anonymous authentication

Question

I am writing an app using Firebase Realtime Database. With the app, you can create votings, which can then be shared with anybody. I use Firebase anonymous authentication.

I do not want users to need to register or login. So the votings are completely anonymous. The Realtime Database has the following rules:

  "rules": {
    ".read": "auth.uid != null",
    ".write": "auth.uid != null",
  }
}

As far a I understand this means, only people using my app, which created the anonymous ID for them, are able to read and write the database, right?

Or would there be any other way somebody can access the database without using the app?

Answer 1

The auth.uid != null rule requires that the user is signed in to your project. It has nothing to do with whether they are using your app to do so.

Anyone can find the configuration data in your app, use that to call the same API that your app calls, create a user in your project that way, and then run whatever code they want (including deleting the root of your database).

To properly secure your database, you'll have to ensure the rules allow exactly what your code does and nothing more. This is typically easiest if you developer the rules hand-in-hand with the code of your app, instead of trying to add security after all the code works.

My recipe is usually:

1. Close off the database entirely.
2. Write code for one use-case.
3. See it fail, as the user doesn't have permission.
4. Change the rules to allow only that use-case, but nothing else.
5. Go back to step 2 for the next use-case.

---

A new option is to use Firebase App Check, which does reduce the chances of abuse by only allowing access from your app(s). You'll typically want to use App Check for broad protection, and then use security rules for fine grained control over who can access what data.