0

Firebase provides strong security rules and recently they have introduced Firebase App Check at I/O 2021. All these are good security measures. But even if I do not enforce App Check and write the rules as:

".read": true
".write": true

Which information is used by others to access my database and how can I hide those informations?

1 Answers1

1

I'm glad you noticed security rules and App Check. These are important ways to protect your database from unauthorized access.

The information in your firebaseConfig variable on web, google-services.json and GoogleService-Info.plist is what Firebase SDKs use to locate resources and identify the app.

If you were to hide that information, others might still discover the database so it is important to set up rules carefully to prevent unauthorized use. The Firebase Security Checklist might help explain some of this, especially API keys for Firebase services are not secret.

If you intend your database to be used only by servers (i.e. no clients so you can keep your identifiers secret) you would still want to use rules to deny access to the public, and follow the guidance in Admin SDK Authentication.

Wesley Tarle
  • 11
  • 5
  • But **HOW** do they find my database? –  Jun 09 '21 at 18:13
  • Some ideas: if you have a web or mobile app, they have easy access to the identifiers included there. If not, while less likely -- they might guess or infer identifiers from your project ID, company name. Someone might accidentally share the ID in a pull request or something. – Wesley Tarle Jun 11 '21 at 18:45
  • If we use **_FirebaseDatabase.getInstance()_** in the source code (not including the URL), can they still find from the reverse engineered version of the APK? And also if we keep a unique name of our project, it may be hard for them to **guess**. Please explain if possible @WesleyTarle –  Jun 12 '21 at 13:22