0

Using Firebase as DB for the app only.

I would like to use Firebase to store data that is global for all users. User authentication is not required to access those data.

So, all user's will be able to access same data. For example "news articles" are same for all users. Users don't need to authenticate to access the news.

How can I setup android application to access Firebase data securely for all users?

By "securely", I mean I don't want to bundle credentials to access the DB with the app. Otherwise, anybody can access the data and wipe it or corrupt it.

Based on quick investigation, I found there might be 2 ways:

  1. Firebase REST API Using Firebase REST API and service account token to access the Firebase data.

  2. Firebase Auth Use one of the auth schema. For example use email & password auth or custom auth with custom token. I would assume both of them require me to bundle the secret password or token with the application.

Has anybody designed app with such use-case? Any pointers would be appreciated.

AL.
  • 36,815
  • 10
  • 142
  • 281
Hossain Khan
  • 6,332
  • 7
  • 41
  • 55
  • Short Answer: For this use-case, "app-as-user", it's not possible to avoid bundling the credentials used to access Firebase instance. _(See comments from accepted answer)_ – Hossain Khan Jan 10 '17 at 14:51

1 Answers1

1

Firebase Authentication doesn't require any bundling of anything. Your users provide their own credentials. Google Play services on the device provides the security that only your app signed with your signing key may receive the token that authorizes the users to perform the actions on the data that you decide through security rules.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Thanks Doug for the information. For this use case, I was considering the app itself as the user which accesses data from Firebase and shows to end-users. So, in that case, since I would have to create a special user for this app to access the data, I would need to bundle those credentials to access the Firebase instance. What is ideal use case for REST API, when would somebody use that option? – Hossain Khan Jan 10 '17 at 03:24
  • 1
    There is no way to secure access to "just your app", without turning your app into a user (and thus encoding the credentials in there). See http://stackoverflow.com/questions/18005984/how-to-prevent-other-access-to-my-firebase. To access the Firebase Database, you'll either need to allow public read access (`".read": true`) or sign the users in (either with their accounts or [anonymously](https://firebase.google.com/docs/auth/android/anonymous-auth)). – Frank van Puffelen Jan 10 '17 at 04:00
  • Thanks for confirming. I was hoping there might be better way. I understand that Firebase was not designed for this use-case. I will try to tinker with the REST API first and accept Doug's answer for now, people should be able to find actual answer from comments. – Hossain Khan Jan 10 '17 at 14:48