3

I am making a mobile app with Firestore and React Native.

There is no authentication system and upon starting the app, the user download a collection from Firestore.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
       allow read: if true;
    }
  }
}

As of right now, the rule allows everyone to read from the database. Is it possible/advisable to limit the traffic to only our mobile app?

Kevin Amiranoff
  • 13,440
  • 11
  • 59
  • 90
  • 1
    You can also add extra security by adding SHA1 from android to your project settings in firabase platform. If you add the SHA1 of your debug/production keystore, only apps with the specific signature can use the data of googleservices.json to communicate with your Firebase. – Anita Jul 03 '20 at 12:13
  • Thanks @Anita. I guess that would be a little more secure. – Kevin Amiranoff Jul 03 '20 at 12:38

1 Answers1

2

It's not possible to use security rules to limit access to a certain app. If your rules allow read access without requiring a sign-in using Firebase Authentication, then anyone with an internet connection can perform reads.

Minimally, you could require anonymous authentication. But that still would not stop someone from creating an account and using that to read everything without going through the app.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441