1

Because according to several sources;

How to avoid reverse engineering of an APK file?

it's impossible to prevent an app from being reverse engineered, and Firebase app tokens are stored in the APK source, how won't attackers get these credentials and destroy a Firebase database?

My concern is that there's no controller available to the developer between the native App and Firebase database (Unless one routes requests from e.g Android App to their own server then to Firebase, which would slow down requests, I think). So anyone who can gain access to tokens should essentially be able to do whatever they want with the database.

I'm coming from PHP and MySQL where I'd control all coming requests from clients with PHP, then access the database from PHP with database user information that is stored on the server, not clients.

WHAT I KNEW : Since the web service and the db are both hosted on the server and only the web service needs direct access to the db, there is no need to store db access info in the app. So attackers don't have DB access information available on the App.

I'm probably missing something important here. Would love to understand more.

Community
  • 1
  • 1
Relm
  • 7,923
  • 18
  • 66
  • 113
  • 1
    What Firebase tells you to store in the APK are **not** credentials, but identifiers. They allow the app to find the correct back-end on the Firebase servers. This is not a security risk, but a simple necessity, similar to knowing that you can come to https://www.stackoverflow.com to ask questions. See this answer for more: http://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification – Frank van Puffelen Jun 07 '16 at 14:05
  • `What Firebase tells you to store in the APK are not credentials, but identifiers.`... Do you have a link, where this is stated? – SaAtomic Mar 21 '17 at 12:45
  • @FrankvanPuffelen tag – SaAtomic Mar 22 '17 at 09:03

1 Answers1

0

You should not distribute the secret at all in the apps. It should not be needed there.

However, you should setup the Firebase Security rules so that any client is only allowed to do the "safe" stuff.

Sten
  • 1,079
  • 11
  • 25