7

enter image description here So I have an app where I have enabled google authentication in my firebase project. 25 people I know were authenticated. When I logged in the backend I saw atleast some 80 entries with some weird sounding email addresses which should not be there. I had to delete all the entries manually, known and unknown ones (didn't needed any after sucessful testing). Now that I want to go live, I am really concerned as to how unknown entires entered my firebase authentication records?

This has recently happened 'again' to another new app/project of mine. This time I disabled that unknown email address and took a screenshot (attached). I really really need to know and understand how safe is data on firestore. If someone can manage to 'hack' the Authentication part and add thir email to Authenticated list of users they may also be able to penetrate the database somehow in future. Please help me in understanding what is happening?

While researching on this, I could only find this similar question but the answer was just not enough explanation for me.

Unknown user in my firebase user authentication (Flutter/firebase)

Shivansh Potdar
  • 1,146
  • 6
  • 16
Damandroid
  • 756
  • 9
  • 31
  • This is a vague question and there's not enough info to formulate an answer other than *firebase authentication is safe*. So; is this is web app or a device app? How did you distribute the app? How did they sign up? Dd you create the users and then distribute login info or did they create the accounts themselves. In other words, suppose a user signed up under willwhiteapple... (as shown) and then changed their mind and used a different email address - now you have two accounts for the same user. Can you clarify and update the question - we can then take a look and maybe attempt an answer. – Jay Aug 16 '20 at 13:57
  • So it is a flutter app I made. The first app was distributed via playstore. The second app (to which the screenshot belongs) is just on test tracks and not relased yet. They all signed up themselves. The first app had gmail signin feature and the second one had custom email/password. Everyone I know just used one email only. Infact even if I consider some people may have changed the mind, it still doesn't add up the number of entries in the user tab. So for the second app, it is just me using 3-4 email addresses and willwhiteapple is totally unknown to me and the app is not even released yet – Damandroid Aug 16 '20 at 14:14
  • 2
    For those of you who got here from Googling "willwhiteapple", this is one of the testers on Apple's side for beta review of apps. – 1000Nettles Apr 12 '22 at 18:36

3 Answers3

2

firebaser here

Since the configuration data for your project is embedded in the application that you send to your users, any user can take that configuration data and then start calling the API with it. This is not a security risk, as long as you secure access to the data within your project correctly for your requirements.

See Is it safe to expose Firebase apiKey to the public?

What it means to correctly secure access to your data is hard to answer, as it depends completely on your use-case.

For example: the content-owner only access security rules allow a user to enter data in the database, and then they can access the data they entered. With these rules there's no risk if anyone uses the API (and not your app) to do the same. The security rules will ensure they only can access data they're authorized for, no matter what the source is the API calls is.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks. Apologies for this delayed reply. I am very thankful for your reply. Yes it makes sense. But This concerns me because this could theoretically eat into my free user registration limit. Secondly, since my app is only for mobile, is there way to restrict the api to only deal with requests from mobile? – Damandroid Aug 19 '20 at 12:32
  • There is no limit to the number of users that can be registered with Firebase Authentication. There is no way to restrict the calls to a single platform. – Frank van Puffelen Aug 19 '20 at 14:23
0

It may be related to the pre-launch report.

https://support.google.com/googleplay/android-developer/answer/9842757?visit_id=637478112313064713-650300184&rd=1#signin

Step 1: Provide test account credentials if your app has a sign-in screen If your app has a sign-in screen and you want the crawler to test the sign-in process or the content behind it, you need to provide account credentials. Note: You do not need to provide credentials if your app supports 'Sign in with Google', which enables the crawler to log in automatically.

So I guess it is safe.

Kshiro
  • 1
0

The user willwhiteapple@gmail.com is the apple testing when your application is in the process of validation from apple before deploy to TestFlight .

alexander ferreras
  • 984
  • 8
  • 9