-1

I am thinking about using the Firebase for our mobile games developed with Unity3D. My concern is that in opposite to web apps, the code will be on the client.

What is stopping malicious users from making tons of calls to Firebase and ruing our account limits or worse raising our bill?

I know running own server is better in many ways but I don't have resources nor knowledge to run it myself at this point. I also like the features of Firebase and believe Google solved this some way I don't know about.

Dave
  • 2,684
  • 2
  • 21
  • 38

1 Answers1

1

Like most API that requires API key such as Google map, you shouldn't let users to be able to communicate directly with them.

You need to have your own server and make each user create username and password. Users would have to log in to your server in order to use the Firebase feature that requires payment. When they log in to your server, your server is responsible for making the requests and sending the request result back to Unity application. Unity app makes request to your server, your server checks if limit has been reached on this account then decides to make the actual request and returns the result.

With your server making the request, you will be able to implement limit on each account. By doing this, you will also be able to place limit on IP Addresses and make sure that new accounts are not created or used from the-same IP to circumvent the server limit when the limit has been reached.

EDIT:

The answer above still apply to many other API that requires API keys. Luckily Firebase has a feature called "Firebase Security Rules" and this might be useful in your case. You can use "Firebase Security Rules" to create a rate-limiting rule that each time there is a request, you can check the timestamp and then update the database with the current time of the request. With this you can implement something like 1 requests per minute.

There is a simple example here. There is also more complicated and complete example here too.

Programmer
  • 121,791
  • 22
  • 236
  • 328
  • Isn't the whole point of using the Firebase not to need to run a server? Isn't then Firebase SDK for Unity3D unsafe to use? Thank you for answering. – Dave Jul 12 '18 at 10:21
  • 1
    Yes but it has many features like analytics, crashlytics, storage and more that you and your programmers would have to write which takes months to do and test. *What's in my answer only requires that you an authentication on your server then be able to use all those FB features*. That's it. I mean, you can try to do this with FB built in authentication or on the device itself but someone who want's to make tons of calls can easily do that since the code is running on their device – Programmer Jul 12 '18 at 10:31
  • So if I understand right, the Firebase SDK for Unity3D is not preventing malicious users from making unwanted calls to Firebase? If so this is then very insecure for mobile developers that are not aware of that... – Dave Jul 12 '18 at 10:44
  • See my edit. I don't think there is more you can do without both information in my answer. I also do think that Google can easily implement this and let you configure this on their server but I don't think they will and of-course, you should know why. – Programmer Jul 12 '18 at 11:43
  • 1
    Thank you for your detailed explanation! I think many inexperienced developers are using the SDK without thinking about the limits, just trusting Google. – Dave Jul 12 '18 at 11:56