0

I am developing android/ios app using Nativesript + angular. I want to display a ListView in my app. For that ListView, I want to use firestore database product by Firebase as Backend data provider. What I want: 1. I don't want users to login or to be authenticated to use the app. 2. I want the data coming from firebase database can only be used by my app. If some other apps or anonymous utilizes the data, is there any way I can block them?

I have tried putting rules like 

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if true;
    }
  }
}

But it allows everyone to access the data.

Is there any other data provider which gives the same functionality?

Wojciech Wirzbicki
  • 3,887
  • 6
  • 36
  • 59
Vivek Kurmi
  • 138
  • 1
  • 11

1 Answers1

1

Update (May 2021):

Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to Callable Cloud Functions to only those coming from iOS, Android and Web apps that are registered in your Firebase project.

You'll typically want to combine this with the user authentication based security that I described earlier/below, so that you have another shield against abusive users that do use your app.

It is still typically recommend to control access based on authenticating a user (allowing you to identify each individual user), and then ensuring they can only access data they're authorized for (in security rules).

If you don't want your users to have to sign in, you can use anonymous authentication. While this doesn't give you any information about the user, you can still identify them in security rules and thus limit their access based on what they've done.

By combining App Check with security rules, you have both broad protection and fine-grained control over what data everyone can access.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks for the answer, I found a way that we can use proxy services. By using proxy services, we will not store api related properties on the client side instead we will store those properties on proxy services side. I am really not sure wether we can do this or not. Do you agree about the process? – Vivek Kurmi Dec 22 '18 at 20:04
  • [Hackernoon article](https://hackernoon.com/hands-on-mobile-api-security-get-rid-of-client-secrets-a79f111b6844) – Vivek Kurmi Dec 22 '18 at 20:18
  • That means you now need to limit access to your proxy. It can be done of course, but the more common approach is to use Firebase Authentication and secure access with rules. – Frank van Puffelen Dec 22 '18 at 20:27