Restrict Firebase database access to one Android app

Question

I'm working on an Android app that reads from a Firebase database. App users won't be logging in or modifying the database. All app users will be looking at the same data; I'm using Firebase for its real-time update features.

Ideally, I would like to restrict access to the database so that only my app can read the data.

I am aware of a few things I could do:

1. Write security rules that allows anyone to read, that is

{
  "rules": {
     ".read": true,
     ".write": false
  }
}

Con: Anyone can read :(

2. Write security rules that allow authenticated users to read, then hard code the username and password into the app

{
  "rules": {
    "$user_id":{
       ".read": "auth.uid === $user_id",
       ".write": false
    }
  }
}

Con: Hard coding a username and password in an app seems very wrong. Plus, it doesn't actually lock down the database, since anyone could decompile the app, grab the google-services.json and the hard-coded user name/password, and write their own app that shared my package name.

Googling has revealed this, which is specific to writing, and this, which says "no" but is a few years old.

What is the correct approach restricting access to the database? Am I approaching this from the wrong direction?

Answer 1

3. Use FirebaseAuth and signInAnonymously() method

reference: https://firebase.google.com/docs/auth/android/anonymous-auth

Then adjust security rules:

    {
      "rules": {
        ".read": "auth != null",
        ...
      }
    }

Con: multiple accounts used only for reading the same data

Answer 2

When you add your application to Firebase project, you must specify SHA1 certificate of your app, so nobody is able to access your data except you.