Firebase Firestore with Android Frontend. Design question: Security relavant code on frontend?

Question

assume we have a banking app with a firebase backend. We can see our current balance and we can add a transaction.

Now from coding perspective:

If we add a transaction we need to adjust the account balance. As this is security relevant (we do not want someone to manipulate the frontend and adjust the account balance) we only add the transaction and let the backend (firebase cloud function) execute it.

But now the account balance (the ui) will be unresponsive until the backend added the transaction and synched it to the frontend leading to a bad user experience.

Expected behaviour: An added transaction directly reflects to the account balance.

How to workaround this issue?

I have multiple ideas in my mind:

Let the frontend execute the transaction (Feels pretty bad)
Execute it on frontend AND backend where the frontend only writes to cache and the backend confirms or overwrite the caches result (Feels good, but how to only write to cache and not to sync?)
Manipulate the visible data on presentation layer until backend overwrites/confirms (Same as 2 but with same hacky way of doing this on presentation layer)

Note: I do not think this is an opinion based question. I think there are standard ways of doing such things thus I think this question is legit.

Any help appreciated

EDIT: It is not actually a banking app. This is an easy example to demonstrate the problem. The target application needs way less security then a banking app, still the issue stays

Firebase Firestore with Android Frontend. Design question: Security relavant code on frontend?

Answers (1)

Related Questions