0

I have a mobile app that I'm preparing to get to production.

When I first started working on the app, I added authentication on the frontend side. In that case, I add GoogleService-Info.plist to the bundle, and it can be found and retrived by someone who is interested.

Is it dangerous? Does anyone who have this file have access to my firebase account? Should I move authentication to the backend altogether and just send JWT token on sign in?

Andrei Kulagin
  • 115
  • 9
  • It depends. If you are just authenticating it will be ok. But if you want to access to the users data using firebase admin library, for example for authorization or sending push notifications you will need a backend. – Victor Gonzalez Chamorro Aug 14 '21 at 10:48
  • @VictorGonzalezChamorro Yes, I have a dedicated backend for handling everything else. The only thing I'm using firebase on the frontend for is authentication. So you are saying that if I'm using firebase for auth only, anyone who has access to the plist file can't do any harm? What about using this file in some project and doing lots and lots of sign-ins to increase my costs? I know it is a superficial scenario, but is it possible at all? – Andrei Kulagin Aug 14 '21 at 11:19
  • The data in the `GoogleService-Info.plist` merely identifies your Firebase project on the backend. It is **not** automatically grant the code access to the resources. See the question I linked, and more on API keys here: https://firebase.google.com/docs/projects/api-keys – Frank van Puffelen Aug 14 '21 at 13:41

0 Answers0