Storing sensitive API keys in my app

Question

The title doesn't really indicates what I mean: I am searching for a secure way to save user data (a point system for a game - under no circumstances the user should have the ability to change his amount of points). And I stumbled across firebase, which seems pretty nice and easy.

But: If I give the app the rights to directly write the users new points to the database it is pretty insecure, right? I mean, someone could decompile the app and get the keys from firebase so that anyone could write to the database, or am I wrong?

Also, what would be the best way to save those "new point" into a firebase realtime database?

Edit: I am already securing my app with pro-guard but that just makes it more difficult for users to get the key, I guess.

Answer 1

its secure if you use cloud code. This way everything is going through the server to save it and a user has no way to change that unless they have access to your cloud code.

Answer 2

The Firebase configuration data in your app is not a security concern. It is simply information that your app needs to find its Firebase project on the servers. See Is it safe to expose Firebase apiKey to the public?.

To properly secure data you write security rules, which are evaluated on the server. With these you ensure that users can only read the data you want them to and that only authorized users can make valid changes.

In cases where security rules become more complex than is feasible, you can consider proxying the read/write through Cloud Functions for Firebase. With Cloud Functions your code runs on Google's servers, so you have to worry less about user modifying the code for malicious purposes.