0

I am using the Firebase Admin SDK on java to mint custom tokens with custom claims set. I am sending these back to the ANDROID app which is the client interface and am logging in with:

signInWithCustomToken("foundtokenfromserver");

Now the Service account file used to sign the token is safe and hidden. But since Database URL, API Key and Storage Bucket URL are exposed on the Web part, I think anyone can make an app of their own from that. I do have security rules in place restricting a user to their own node.

My main concern is:

If someone intercepts the custom token minted and saves that. Can they not just use that token to log in using the above FirebaseApp (generated using the exposed info)?

Is there a way where firebase does prevent such misuse (maybe the auth domain can stop the web but what about localhost)?

Rosário Pereira Fernandes
  • 11,015
  • 6
  • 55
  • 79
Kushan
  • 5,855
  • 3
  • 31
  • 45
  • 1
    I've never created a custom token, so I can't tell you much about that. But you don't need to worry about the database url, api key and storage url being exposed. Unless your database and storage have the security rules set to public. Then anyone can access it from the url( [check](https://stackoverflow.com/questions/35418143/how-to-restrict-firebase-data-modification)). The api key is also not a problem, because it is nothing more than a different way to name your project (refer to this [post](https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public)) – Rosário Pereira Fernandes Dec 27 '17 at 00:21
  • yea i get that, but with those exposed, anyone can initialize an FirebaseApp instance on web and android (idk about ios). And if they do get their hands on the auth token, i am worried that they might just be able to authenticate or let's say masquerade and get in. Also android sdk transparently refreshes the tokens so... yea lifetime access :-\ – Kushan Dec 27 '17 at 00:24
  • I don't think anyone can initialize a FirebaseApp instance with these data. Because on Android, you'd need the `google_services.json` file to initialize your app. And on the web, you'd need to login on the Firebase CLI before you can serve/deploy a web app using Firebase hosting. – Rosário Pereira Fernandes Dec 27 '17 at 00:32
  • google_services.json is exposed if anyone unpacks the apk. Also they can have the same package id, and in my case the firebase app isn't protected by sha1 due to multiple firebase projects in one app. Web is secure thanks to the login as u said :D – Kushan Dec 27 '17 at 00:34
  • I worry too much :'( stupid overthinking brain... I am sure there must be something on android too which can save me – Kushan Dec 27 '17 at 00:38
  • All communication between the client apps and Firebase should happen over secure connections, which makes it safe from eavesdropping. How you expect a malicious user to get `foundtokenfromserver`? – Frank van Puffelen Dec 27 '17 at 02:17
  • Well the minted token will have to be sent back to the app right? I was thinking that's where they can get it. Is there a way to not send the token back and log in user in the server itself?? – Kushan Dec 27 '17 at 09:01

1 Answers1

1

In general, you will only mint the custom token after you send some auth assertion to your server. For example, you may be using your own custom auth system using email/password. Another example is that you could be using an unsupported OAuth provider and assume that provider already verified the user and only returned the assertion (OAuth credential/Authorization code, etc) after verifying the application. In addition, you would be using a secure TLS connection to prevent eavesdropping.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • Yea, assertion always happens first and yea the connection will be a TLS one in production :) guess am just a little paranoid lol – Kushan Dec 28 '17 at 10:17