0

I am trying to implement SafetyNet in my app. I also, don't have a server, and I am using Firebase Firestore and Firebase Functions.

My knowledge about Firebase Functions is very limited. And I was wondering if I could somehow use the functions to help me with the SafetyNet attestation. As I see, I should be producing a nonce on the cloud, send this nonce to the app, use it to attest, and send it back to the cloud to verify the integrity correct?

But I can't seem to find anywhere on how to do this. Can anyone point me in the right direction?

Ravers
  • 988
  • 2
  • 14
  • 45

1 Answers1

3

YES

Sorry for the excitement there, but this is possible since a few weeks ago through a new feature called Firebase App Check.

With App Check, you always end up with a two-step process:

  1. Use an attestation provider (such as SafetyNet) in your application, so that information about the app is attached to each request it makes to Firebase.
  2. Then at some point in time, when enough of your app requests have this information attached, check for the app information in Cloud Functions, or enable the check in one of the other supported services.

If you check the documentation on enabling App Check enforcement for Cloud Functions, you'll see that it mostly boils down to this check in the code:

exports.yourCallableFunction = functions.https.onCall((data, context) => {
  // context.app will be undefined if the request doesn't include a valid
  // App Check token.
  if (context.app == undefined) {
    throw new functions.https.HttpsError(
        'failed-precondition',
        'The function must be called from an App Check verified app.')
  }

  // Your function logic follows.
});
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • That sounds really promising! I use Firestore to store my user data. So I will need to change all the Firestore calls to a Function call, and make my Firestore action inside de function. Is that correct? – Ravers Jun 05 '21 at 15:53
  • I answered the headline title: "Can I use SafetyNet with firebase functions?" Firestore currently doesn't support App Check yet, but that may change. It's up to you to decide whether you want to wrap Firestore in Cloud Functions because of that. I personally would not, as through Authentication and Security Rules I can typically secure the data access quite well already. – Frank van Puffelen Jun 05 '21 at 18:13
  • I know that this isn't the main question. But can you point me on how to secure my Firestore database from root users? I actually have rules like: "allow read, write: if request.auth != null && request.auth.uid == userId;" but somehow someone could root and change data in my Firestore database – Ravers Jun 05 '21 at 18:34
  • What's a root user in this scenario? And maybe more importantly: how does someone become a root user? – Frank van Puffelen Jun 05 '21 at 20:10
  • Sorry, I mean users with a rooted phone. My main problem here is that someone with a rooted phone changed the "points" textview, and since I was using the textivew to add the server points (noob move), he managed to set its points very high. That's why I am studying about SafetyNet and Firebase Functions in the first place. But maybe I am going in the wrong direction? Maybe I just need to create like 3 variables and verify them instead of reading a textview right? – Ravers Jun 05 '21 at 20:59
  • Ooof... that seems pretty different, and broad. In general, patching security against malicious users is much harder than coming up with a secure model to begin with. So I'd recommend that first, for example like I described here: https://stackoverflow.com/q/66896313. If you can make it into a specific question, it might be worth posting that separately. – Frank van Puffelen Jun 06 '21 at 14:15
  • I understand that this is a different set of questions and have already created a different post. Thanks a lot for your tips @Frank – Ravers Jun 06 '21 at 14:40