2

How do we prevent abuse in case somebody knows the firebase URL in phonegap apps? They might not be able to perform complete operation but they can potentially cause harm or heavy traffic (recurring sign ups, just lots of API calls).

As phonegap apps would no longer be able to use the authenticated domain security in firebase, what is the technique to use?

I've been wondering about this for quite some time and couldn't figure out or find anything that clearly says how it's done.

Thanks!

SOF
  • 177
  • 3
  • 12

1 Answers1

5

You are correct in saying that anybody can figure out your firebase URL. This is not specific to PhoneGap however. This is a key part of how Firebase works. And this should not be a problem for you. You can use our security rules API to prevent malicious users from reading or writing your Firebase data. The auth variable should come in handy for you for your use case.

I am not sure I understand what you mean by "authenticated domain security in firebase." Firebase security is client-independent and is enforced server-side. So, PhoneGap should be no less secure than other platforms.

jwngr
  • 4,284
  • 1
  • 24
  • 27
  • Thanks for the response @jacobawenger. I meant that web apps using Simple Login at least have permitted domain settings. But on mobile apps, that's not an option as, well, the front-end are on mobile not hosted on any domain. So what if the mobile app accepts sign ups and writes new account to firebase, will malicious people can potentially do countless sign up "attacks"? Is there a way to prevent that? Thanks again. – SOF Jul 11 '14 at 18:25
  • It is possible that a malicious user could sign up many times on your app. This is not a security issue but it could lead to you having a bunch of bogus accounts. However, there is no difference between PhoneGap and a web app here when it comes to Simple Login. Someone could do the same on a website built using Simple Login. For 99% of apps, this will not be an issue. If you want to protect against this, you could add some client-side code to prevent someone from continually pressing the sign up button with new credentials. – jwngr Jul 12 '14 at 23:39
  • Thank you @jacobawenger. You are right about Simple Login although on a domain-hosted web app, it's more secure because of the domain-level permissions, am I correct? Thanks. – SOF Jul 13 '14 at 03:53