Firebase android security

Question

i am building a chat android app that allows users to chat where users can create account and use all the features. It's about to be completed but there's a problem, actually a question.

Is firebase on android safe ?

In my firebase database, i have created a rule as follow:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
  }
}

Now, this rule will reject any non authenticated users from accessing the data and pushing data or deleting any of it. But, when user creates an account on my chat app, he/she will be authenticated and my app will allow to make modifications. What if they reversed engineered the app and changed some of the codes and pushed invalid datas or removed some of the values from database coz they are already authenticated ?? How can i prevent that ?

When user creates account in my app i use:

 auth.createUserWithEmailAndPassword(email, password)
                    .addOnCompleteListener(RegisterActivity.this, new OnCompleteListener<AuthResult>() {

This will create a new chat user for the app. So, user is creating his/her own account and they know the credentials and everything. I am so confused, how can i prevent them from editing my codes ?

Answer 1

You can't prevent malicious clients from executing whatever code they want against your Firebase project. Someone will always find a way to compromise your app at runtime on a device that you can't fully control.

The way to protect your data is through sophisticated security rules that:

1. Requires users to be authenticated (as you already have)
2. Decide which users can read and write to which locations in your database
3. Reject invalid data from being written

This requires a fair amount of thought and effort. You can start with the documentation to learn more.

Please also read this question on Quora for some more ideas.