2

My Swift iOS app only uses Firebase Anonymous Login. I am concerned about security of my Firebase Database as apparently anyone can access or delete my data (through a browser etc?).

How can I secure my db so only my iOS app can access it?

I would have expected that the Firebase dashboard allow to generate an API key which I can embed in my app, but that does not seem to be the case.

Kashif
  • 4,642
  • 7
  • 44
  • 97
  • 2
    if your app is talking to the db directly, then it'd be trivial for someone to capture/analyze that communications and bypass your app entirely and talk to the db directly themselves. you basically need to implement a webservice that does the interfacing. so it'd be app<->webservice<->db, instead of anyone_who_wants_to<->db – Marc B Jun 21 '16 at 15:53
  • actually it is very easy to access anyone's firebase db if they have not secured it. All you need is their firebase app's url which is usually easy to guess. and then u can issue read write commands directly to it. – Kashif Jun 21 '16 at 15:56

1 Answers1

1

You need to write security rules.

Anyone can see your URL, but security rules are how you dictate who has access to what pieces of data.

These rules act like annotations on your data structure and specify what constraints must be satisfied to allow the read or write.

Let's say you want to secure your database so only authenticated users can access the database. These are the default rules of the Realtime Database.

{
   "rules": {
     ".read": "auth != null",
     ".write": "auth != null"
   }
}

The auth variable a server side value that stores the current authenticated user. The rule checks to see if that variable has a value and therefore contains a logged in user.

I would have expected that the Firebase dashboard allow to generate an API key which I can embed in my app, but that does not seem to be the case.

The Firebase console will give you a secret key, which gives you full access regardless of rules. But if you embed this in your app then it is no longer secure. This is why you use authentication because the this creates tokens against that secret key for the specific logged in user.

David East
  • 31,526
  • 6
  • 67
  • 82
  • As I specifically wrote in my question, I do not have user logins, so user based security is not an option. – Kashif Jun 21 '16 at 18:47
  • 1
    Your app uses anonymous login, those people are users with `uid`s which works for those rules. You can use those rules for anything created by the client with the uid, it doesn't have to be the `"users"` node. – David East Jun 21 '16 at 18:59
  • I see, how can I modify your code so any uid will have access to all data? – Kashif Jun 21 '16 at 19:01