Restrict firebase access to a single android app without authentication

Question

I need to access read/write images from firebase storage. There is no authentication facility. How can I restrict the data management through app only.

Existing rules to provide public access is

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write;
    }
  }
}

Answer 1

There is no way to limit access to the files through the Firebase SDK to your application only. That approach simply doesn't work in a cloud-based environment.

Also see:

• Restrict access to Firebase storage so only my app can access it
• How to allow only my app to access firebase without a login?
• Locking down Firebase DB access to specific apps
• How to make firebase storage only available to users of the app (which I just now found, and of which your question is a duplicate)

While these are usually about other Firebase products, the same logic applies to Storage.

You will need to describe in your security rules what can be done to the files in Cloud Storage through the Firebase API, and then (if needed) who can do those things by using Firebase Authentication too.

Note that using Firebase Authentication doesn't necessarily require the user to provide credentials, as Firebase provides an option to sign in anonymously. This simply gives each user a secure, unique ID, which you could for example use to allow users only access to files they uploaded themselves (and many other use-cases).

Answer 2

As per docs

Cloud Storage stores your files in a Google Cloud Storage bucket, making them accessible through both Firebase and Google Cloud

Although firebase directly doesn't support that but google cloud has the option to restrict API to specific application package name signatures only. I tried for MAP sdk, but theoretically storage should work also.