0

I am working on an android application connected with firebase.

As we know that the api key and database name as being stored in strings.xml in apl file so they can be easily extracted.

As I told one of my friend his email-id and password for testing purpose.

The issue is that he was able to see all the data in the firebase realtime database by using the restAPI.

I had used sha1 but since the firebase is responding to the other links.

Is there any other way in which the firebase will respond to the request generated by the android app and not any web or ios.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
group work
  • 33
  • 7

1 Answers1

0

Credentials for accessing Firebase are not platform specific. Once you know the credentials of a user, you can access the platform as that user.

For this reason you should never share your credentials with someone else, but instead give them access to your project with their credentials.

The simplest way to fix your problem now is to change the password of your account. After doing that, the other user will lose access within an hour.

The configuration data that is added to your Android app through google-services.json is just configuration data. It is in no way meant as authentication for your app. For more on this see Is it safe to expose Firebase apiKey to the public? and How to prevent other access to my firebase.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • My friend was also able to change the email and password of his own , now how to prevent that ? As I don't wants to let the email id be changed in the firebase authentication. – group work Apr 28 '18 at 15:22