0

I am using firebase project where I sign users as anonymous on Auth part. My issue is I'm on blaze plan and I wonder, can't people just decompile my app take my Google-services.json file and make an app out of it to basically spam my firebase backend and bill me a lot of money? I've read that there is sha1 restrictions on Google developers api to ensure only apps with certain Sha1 signature can access Google api's but I can not understand if this can solve my issue? Can't people just copy my Sha1, isn't it publicly available inside the apk file? How may I ensure that people can't just decompile my app and spam my firebase backend so I won't be billed 1 million dollars by Google?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
cs guy
  • 926
  • 2
  • 13
  • 33

1 Answers1

1

can't people just decompile my app take my Google-services.json file?

Essentially, yes, they can.

and make an app out of it to basically spam my firebase backend and bill me a lot of money?

Not if you implement Firebase Authentication and security rules correctly. Anonymous auth and email/password auth still allow anyone to create an account, so you will want to gate what someone can do with either of these types of accounts. With email address validation, you at least have some measure of protection against automated attacks.

I suggest reading: Is it safe to expose Firebase apiKey to the public?

I strongly suggest not just using anonymous auth as your security mechanism. You should also place limits on why anonymous users can actually do. You should also encourage your users to upgrade their anonymous accounts to full accounts in order to get full access.

Can't people just copy my Sha1?

No, that's a cryptographic hash based on your private signing key. If you keep that private key safe, then no one can sign their APK to mimic your registered SHA-1.

How may I ensure that people can't just decompile my app and spam my firebase backend so I won't be billed 1 million dollars by Google?

Same answer as your first question - implement Firebase Auth and security rules correctly. If, for whatever reason, security rules aren't powerful enough for what you want to protect, implement your own custom backend API endpoints to provide access to data in a way that you find secure.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • I have actually read all these posts, sorry for my ignorance I'm not good at cryptography. I was mostly wondering if Sha1 could be mimicked. I'll do more research to understand why it can't be but as of now, your answer satisfied me. I also have good firebase security rules the problem on my behalf, the problem is that every single user can access to certain documents like sound files with sizes 5mb so that's why I was afraid of quata – cs guy Sep 22 '20 at 03:26