1

I want to enter a security rule to prevent deletion of the whole firebase database at once from a random authenticated user. But I want to allow authenticated users to read,write and delete their own messages. Imagine the below senario where someone decompiles your app,gets the google-json file data and compiles an app that can connect to your project and setValue null to your whole database. Should I be worried of the above senario or google has taken care that? I have read the below links but I cannot get anything. Firebase - secure the database from being deleted entirely Too easy to delete whole database and I have read the security tutorial at firebase https://firebase.google.com/docs/database/security/

Any help will be appreciated!

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Farmaker
  • 2,700
  • 11
  • 16
  • So do you think the above senario can be real? Can somebody decompile an app, connect to firebase and execute a command? – Farmaker Jul 17 '17 at 16:39
  • 1
    @tadman The Firebase Database has a [security rules language](https://firebase.google.com/docs/database/security/) that allows you to control who can access/modify which parts of the data. Direct data access for the Firebase Database is not only common, it's actively encouraged (hand in hand with property securing access). – Frank van Puffelen Jul 17 '17 at 17:11
  • @Farmaker If a user recreates your application code, they're still bound by the security rules that you've specified for your database. For example it's quite easy to [ensure a user can only modify their own data](https://firebase.google.com/docs/database/security/user-security). In that case it doesn't matter whose code runs on the client, each user can only access/modify their own data. – Frank van Puffelen Jul 17 '17 at 17:14
  • So: yes, you should worry about securing access to the data in your database so that users can only access data they're authorized to access. But Firebase has a security rules language that it enforces on the server, so that you can ensure authorization without having to set up your own server. – Frank van Puffelen Jul 17 '17 at 17:15
  • Also see https://stackoverflow.com/a/35419194/209103, https://stackoverflow.com/a/37484053/209103, https://stackoverflow.com/a/18007760/209103, https://stackoverflow.com/a/18897630/209103 – Frank van Puffelen Jul 17 '17 at 17:22
  • Hello Frank. I have created a chat app with a strange form that user writes messages to both sender and receiver. So messages exist in two places inside the nodes of two users. Maybe it is not recommended the way that I did it but that's it for now. Do you think firebase user-security (link that you proposed) will comply to this example? – Farmaker Jul 17 '17 at 17:26
  • @FrankvanPuffelen The ACL mechanisms of databases vary in terms of their granularity and robustness, but they're not always able to express the sorts of complicated logic that emerges in typical applications. Some of these new "cloud databases" make an effort to build out more sophisticated rules, but these often fall far short of what you actually need, plus it's often one tiny mistake away from exposing your whole database to read or write access. – tadman Jul 17 '17 at 17:52
  • @Farmaker: most databases can be secured. But it depends on your data model, your code, and your willingness to write security rules and code. As such this question is now too broad, which is quite clear from the length of comments vs the lack of answers. I don't really see how to write an answer for it. – Frank van Puffelen Jul 17 '17 at 20:16
  • @tadman Interestingly enough Firebase itself uses its database for quite some metadata. You can bet that this data is well secured through these rules. The rules themselves are actually quite simple there, although the data structure is slight more involved to allow for this. – Frank van Puffelen Jul 17 '17 at 20:17
  • @FrankvanPuffelen Whatever features it offers, I'd get someone to do a very thorough security audit before going live and potentially leaking vast amounts of user data. These things happen all the time by mistake. – tadman Jul 17 '17 at 20:19
  • Agreed that the implications of mistakes are vast: leaking user's data is a serious concern and an extra pair of eyes on your security rules is a great way to mitigate that risk. But the same applies to the code you write for an app server. – Frank van Puffelen Jul 17 '17 at 20:25
  • Thank you everyone – Farmaker Jul 18 '17 at 05:15

0 Answers0