Is hard coding the Firebase config data into an app a security risk?

Question

As the title says, is it a security risk/concern that I hard code my firebase config data into my (react-native) app? If it's a concern, is there a different approach to this?

I'm talking about the data mentioned below.

const config = {
  apiKey: "",
  authDomain: "",
  databaseURL: "",
  projectId: "",
  storageBucket: "",
  messagingSenderId: "",
  appId: ""
};

This is configuration data that is necessary to find your Firebase project on Google's server. It is not a security mechanism, for which you should use one of Firebase's other mechnaism (typically server-side security rules). See https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public — Frank van Puffelen, Jul 28 '19 at 17:04

cutiko · Accepted Answer · 2019-07-28T19:22:36.927

No. Several reasons:

1 No secret there

2 You could access the project using the Firebase REST API instead of the sdks

3 It is the equivalent of a public API

4 The real security is on the database or storage rules

Think it this way.

Plenty of services like Twitter, Spotify, Gmail, expose public APIs. But you cant tweet in behalf some one else, or you cant like a song, or you cant send an email.

So if some one get that file from the client, web or mobile, then they would only be allowed to do what rules allow to. If you create a chat app then your rules will prevent impersonation or miss use of files.

Is hard coding the Firebase config data into an app a security risk?

1 Answers1