2

We are developing an application with Firebase which includes some sensitive data like messages. I learned that realtime database is encrypted in servers but project administrators can see the data. So I thought we could continue to develop our application without data encryption and minimalize the developer count who has access the database.

Is there any way to develop firebase project without access to database (I thought making our own developer panel for debugging may be good idea) or we should encrypt our data?

If you are working in a big company or a big project using Firebase, how did you solve this problem?

Kerem
  • 76
  • 1
  • 2
  • 6
  • 1
    You could store the messages with a SHA family encryption format and have the key required to decrypt stored somewhere else in firebase. This would at least make the messages not readable and would require some work by the project administrators to decrypt each message with their individual keys. – SierraMike Apr 10 '20 at 18:15
  • 1
    I don't believe there's any encryption in Firebase. In other words, data is stored in firebase as text and if the rules are set to allow anyone to read that data, it's just plain, unencrypted text that anyone can read. If you want it encrypted, you have to do it client side and upload the encrypted text. – Jay Apr 13 '20 at 20:09
  • 1
    @Jay https://cloud.google.com/firestore/docs/server-side-encryption I found this and the link says data is automatically encrypting with AES256 for firestore. I couldn't find any official document for realtime-database. https://stackoverflow.com/a/47847151/13166706 Just this answer says realtime-database is also encrypted. – Kerem Apr 14 '20 at 13:00
  • 1
    To clarify, Firebase uses https so *traffic* between the the client and the server are encrypted. And while data on the server is encrypted, it's still readable as plain text by anyone with appropriate authentication, all console users and if your Rules are set to read = true with no other parameters, *everyone* else. The key is to minimize who has access to the console and incorporate rules. See this [Open Access](https://firebase.google.com/docs/rules/insecure-rules#open_access) with this note *without rules... anyone who guesses your project ID can steal, modify, or delete the data* – Jay Apr 14 '20 at 14:48

0 Answers0