5

Now, the question I have posted sounds quite vague, as no development team should release an application into production without Firebase security rules, but what I really wish to know is how a malicious user could potentially access the data on a Firebase project if AppCheck is in place. Let's say I have a simple application that lets users jot down quick notes (which are saved to Firebase Firestore). Now, every user has to be authenticated and all the notes created by that user lie under a collection with their email or uid.

If I am releasing this application only on Android and iOS platforms and AppCheck is securely in place, the only way to read/write or modify data on Firestore would be through a genuine version of the app released on AppStore or PlayStore, which means an unauthorized user/hacker cannot read or modify any data (they are not supposed to have access to) unless they either reverse engineer the android or ios app or inject malicious code that lets them do so. I cannot imagine this would be an easy task to do. Now while I will implement AppCheck and Firebase Security Rules before releasing an app, how do I account for this possibility, i.e the app being reverse-engineered or hacked? And how likely is it? Because AppCheck also states that only "requests originate from your authentic app" will be allowed, which I assume means an application that has not been tampered with.

Hari Aditya
  • 167
  • 10

1 Answers1

6

While App Check adds an important layer of protection against abuse to your applications, it does not replace Firebase's server-side security rules.

Using App Check drastically reduces the changes of abuse from unauthorized code, but as with any security mechanism that runs a client-side check, there is always a chance that a malicious user can bypass it. From the documentation on How strong is the security provided by App Check?:

App Check relies on the strength of its attestation providers to determine app or device authenticity. It prevents some, but not all, abuse vectors directed towards your backends. Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your backend resources.

Security rules on the other hand are evaluated on the server only, and cannot be bypassed by anyone. You can tightly control exactly what data any specific user can access.

By combining App Check and security rules, you can reduce broad abuse quickly, while also retaining fine-grained control over who can access what data.

We had a good discussion about the topic here too: What is the purpose of Firebase AppCheck?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807