0

I have an application that connects to firebase cloud storage to store images and firestore to store data. I have added some security rules that require the user to be authenticated to be able to modify the data. My application doesn't allow users to connect with firebase, I use another service so I made an automatic anonymous firebase authentication at the launch of the app so that users can use the application. I thought that the computer's SHA-1 key entered in the firebase(android) console would prevent the android application from being compiled on another machine and thus guarantee that anonymous users are on my application. However I can build and run the application on another computer without any problem, as if anonymous allowed that? How do I secure my application? Thanks

duduf
  • 137
  • 2
  • 9

2 Answers2

1

The configuration data used by Firebase to find your project on the servers is not a secret (see here) and can be taken from your app by anyone and then used to also make API calls against your project. There is currently now way to ensure calls to the API can only come from your app (see here).

What you instead should do is create security rules that ensure all access is authorized, no matter where the API is called from. Doing this through Firebase's server-side security rules ensures that no one can bypass these rules, not even a malicious user.

Say that you give each user their own folder in Firebase Storage. You can then use security rules to ensure each user can only read and write files in their own folder. And with those security rules in place, it doesn't matter anymore whether they use your app to access the files, or whether they call the API with your project keys and their own code:, since the access is controlled by the server-side security rules.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks for your answer. The problem is that the images must be readable by everyone, the images are not private, it's on the writing that I need rules. I could associate the images at creation to an anonymous user so that only he can modify them, but if he disconnects and reconnects he won't be able to modify them anymore because he will be authenticated with another id? – duduf Jul 24 '20 at 16:43
  • 1
    If the images need to be publicly readable, but only writeable by the user who's named in the folder, that'd still be something you control in the security rules. If an anonymous user signs out, they won't be able to restore the same UID indeed. That is inherent about being anonymous. If you want them to be able to reuse the same UID across installs/devices, you should use one of the other providers that allows that. – Frank van Puffelen Jul 24 '20 at 17:14
1

I thought that the computer's RSA key entered in the firebase(android) console would prevent the android application from being compiled on another machine and thus guarantee that anonymous users are on my application.

That's not really the way it works. You can't restrict Firebase Auth from working on different devices or computers. The underlying REST APIs are public and can be called from anywhere on the internet. The SHA-1 key that you enter in the console is intended to identify your app, not a piece of hardware.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • I thought it was a security, using firebase phone auth on another application, if I compile the application with an unregistered computer I get an error telling me that my computer is not authorized. Thanks – duduf Jul 24 '20 at 16:52
  • They won't be able to compile/release the code, but they can use the same configuration data from the app to call the FIrebase APIs. See the second link in my answer for questions where this was discussed earlier. – Frank van Puffelen Jul 24 '20 at 17:14