0

So by now I know that attackers (hackers) are able to manipulate my database unless I control through the security rules.

So I have a node in the database called chat_node this is a node that allow each registered user to write to it.

The security rules of this node are like this:

{

"rules:"{

"chat_node:"{

"$uid":{

".read":"auth!=null && auth.uid===$uid"
".write":"auth!=null && auth.uid===$uid"

}


}


}

}

problem:

given the above rules, a hacker can reverse engineer my app that contains the google-services.json file and then he may register with my app and change the code to delete the chat_node, so all users data are lost now.

How to prevent this with security rules?

data
  • 739
  • 6
  • 17
  • It's true that programmers/hackers can reverse engineer the application to get what they want. However, the time + effort it takes to make that happen must be worth their while (meaning your application must have daily high traffic or making big financial transactions). I suggest you giving this a read [Should I use ProGuard?](https://stackoverflow.com/questions/18259632/should-i-use-proguard) – Nero Dec 06 '18 at 18:57
  • @Nero That's not a really good reason not to think about and apply security rules to your product. Simply saying "it's not important" is exactly what your potential attackers want you to think. – Doug Stevenson Dec 06 '18 at 19:51
  • @DougStevenson not saying "it's not important" exactly. But instead I am saying the number of precautions to be used/implemented in a way. – Nero Dec 06 '18 at 19:53
  • @data The only way you can apply security rules is by first having a set of requirements about what your users should and should not be able to do with the data. Right now, what you're defining is too vague. What exactly do you want your users to be able to do and not to do? – Doug Stevenson Dec 06 '18 at 19:53
  • @Nero Use of security rules, to some degree, is strongly recommended by the Firebase team. In fact, if your rules appear too permissive, you will get an email reminding you that you should think about that and make changes. – Doug Stevenson Dec 06 '18 at 19:54
  • @DougStevenson in the above rules the attacker may delete the node and I don't want that to happen? – data Dec 06 '18 at 20:14
  • @DougStevenson I mean the whole chat_node. – data Dec 06 '18 at 20:14
  • You're missing the other part of my question. You need to define not just what users can NOT do, but also what they CAN do. It's easy to make rules that deny all access, but that's probably what you want. In other words, without understanding how your app works, it's not really possible to create rules for it. – Doug Stevenson Dec 06 '18 at 20:18
  • @DougStevenson at `chat_node` users can write and read what they post according to their uid as you see above, now when the app is reversed and hacked it can be manipulated to delete the whole node? – data Dec 06 '18 at 20:27

0 Answers0