7

I am interested in the security aspect of the Firebase .plist configuration file that is given to you during configuration. This file counties sensitive information.

Should this file be protected? Because in the examples this file located in root of the project and could be easily taken from .ipa files.

Example of the GoogleService-Info.plist file:

enter image description here

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Oleg Gordiichuk
  • 15,240
  • 7
  • 60
  • 100

1 Answers1

4

The information you're showing in your screenshot is not secret at all. In fact: values like the database URL, the project's API key and the project ID are necessary for the app to be able to find its Firebase project on Google's servers.

Also see:

Community
  • 1
  • 1
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • 1
    Thx for the response. I download application from the iTunes and open it. Than I take GoogleService-Info.plist file and add it to the fake project. After that I configure Firebase. And I have access to query data and edit it. – Oleg Gordiichuk Jan 16 '17 at 15:47
  • 1
    Firebase is a set of cloud services, which inherently makes them accessible to everyone. To keep your data secure, you'll typically require authentication and authorization. For example: for the Firebase Database, you can control what users can do with security rules. Once you specify your rules, it doesn't really matter whether your users use your app to make changes or if they write their own code that does the same: as long as it adheres to your security rules, the result will be the same. – Frank van Puffelen Jan 16 '17 at 15:51
  • It is possible to conclude from the answer that application X that is using Firebase is wrongly configured with security rules and that is why I has permission to edit their data ? – Oleg Gordiichuk Jan 16 '17 at 15:54