-1

I'm starting with firebase and i've a very basic question

in firebase rules for database i've:

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

According to google it means that anyone can read and write on database.
My question is who anyone?

Let me clarify:

  1. I don't want to force the user of my app to login, nor to have an account on google in order to use it.
  2. this project is not shared with other people, other apps or any other stuff

is it possible to somebody to access the data stored in firebase? if yes how?

again if yes, what should i do to protect the data without forcing users to have credentials?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Rafael Lima
  • 3,079
  • 3
  • 41
  • 105
  • 1
    Exact duplicate of [Why is security through obscurity a bad idea?](https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea) –  Aug 07 '18 at 14:12

2 Answers2

3

true here mean there is literally no protection of your data. Anyone who has the tools, and the name of your Firebase project, is able to fully read and write all your data. It should be considered that your database has extreme privacy concerns, which is especially bad for the data you're storing about your users.

Anyone can use something as simple as the REST API to access your entire database (or delete your entire database) with one request.

Without Firebase Auth, you should restict all access through some other protected API that you control. It's outside the scope of this question to fully explore how to set up that other API.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • could you elaborate more your answer please? two points: 1- if i didn't share the link of my firebase project how could someone get it? sniffing the traffic? 2-is it possible for me to create an "app" account and authorize all users from it without any user interaction – Rafael Lima Aug 07 '18 at 06:30
  • If you have a public app that uses this unprotected database, it can be easily decompiled to find the name of the project it uses. There is no such thing as an "app" account. – Doug Stevenson Aug 07 '18 at 06:34
0

Referring to: 

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

You can imagine that the boolean value for the read and write as a security gate where true is open access and false is dead end. By stating it "true" means that people could just access your database (somehow) without even using your app.

Your points are:

  1. This app is only for private used.

  2. This app will not and never be distribute to other non-relevant people.

But, how do you make sure other people won't attack/ access your database? People could still access your database through browser controls (JS, Angular etc.).

Do remember, reverse engineering is possible, they could obtain your database information as well as your firebase credential JSON file, which could make your data in risk.

No matter what, it is advisable you restrict the security rules. My recommendation is to implement a simple role based security rule to prevent abusive and unauthorised API call usage.