Securing Firebase Database without having Firebase Auth

Question

I am learning Flutter by following Codelab Firebase Tutorial and developing test Android app almost similar to this. Users save their baby name and others vote their favorites which updates Votes count in database. Based on this, I have few questions related to Firebase Security.

1. App does not currently have any Firebase Authentication. Is it necessary to have Firebase Auth seeing users who will just vote does not need to have any kind of registration.
2. Can someone decompile my app and get google-services.json file? If yes, will that allow them to use this file in their app and mess my database?
3. How much secure is my app from non-users like I mentioned in above point if I do not include firebase auth and keep security rules to default (read, write all)?

Apologies, If I failed to convey my point properly as I am still in learning stages of App development.

Answer 1

You must be using Firebase Authentiction if you want per-user read/write restrictions. If you aren't using it, you can only restrict what anyone in the world can do with public access.

Yes, anyone can get the values from your google-services.json file. They are added to your app as string resources. No, it doesn't allow anyone to access everything. What you're asking here is very common, try doing some searches for that. For example this.

If you use security rules that allow all read and write access, anyone with an internet connection will be able to read and write your database. This is not really acceptable in most cases.