Firebase is a wonderful backend service with strong security rules. In I/O 2021, they also introduced Firebase App Check that adds an additional layer of security. But even if I set the read/write permissions as true and do not enforce app check, can anyone access my database without knowing the URL? If no, then what is the best way to completely hide the URL in Android Studio?
Asked
Active
Viewed 448 times
1 Answers
0
To access the Firebase Realtime Database you must know its URL. But that also means that any application that needs to access the database, must know that URL in it - in the case of Android applications, typically this comes from the google-services.json file. And if that URL is present in your application binary, that means that a malicious user can find it, and use it to access your database.
So: yes, you need to know the URL of the database to access it, but unfortunately you're sending that URL to all users of your app (since that needs the URL too).
Frank van Puffelen
- 565,676
- 79
- 828
- 807
-
Is there any way to protect the URL from reverse engineering? (I know 100% protection is not possible, but any good security measure)? – Jun 12 '21 at 17:34
-
1Any data that your app uses, can be found by a (sufficiently motivated) malicious user. So while you could load the URL on demand from some cloud-hosted service, you'd still end up using the URL in your code, and now you've added another cloud-hosted service as an attack vector. The proper way to protect your database is with security rules, and now App Check, or by disallowing client-side access altogether (`".read": false, ".write": false`) and then doing all access though a custom server-side API (which then also becomes a new attack vector). – Frank van Puffelen Jun 12 '21 at 17:39
-
1Thanks to the entire Firebase team for introducing App Check. We really needed it. And also, I remember your suggestion of using proper security rules too. :) – Jun 12 '21 at 17:59