1

I have made my mobile app using firebase on iOS & I use callable functions to communicate with database.

When I try to perform a “man in the middle” attack/move using a simple app as Charles, I can see all my calls with the data I send, in plain text. When I use a well know app like iTunes I cannot decrypt anything (which I think is what we call ssl pinning)

I have 3 questions:

  • does firebase cloud functions (https.callable) handle ssl pinning ?
  • if not how can I protect from this ? Using node for my function, is it possible to request a ssl certificate from firebase and link it to functions ?
  • Does the mobile Sdk request are pinned ? I cannot see anything about read calls on my sniffing app.

Thank you all.

user2206906
  • 1,310
  • 2
  • 13
  • 18

1 Answers1

3

As per this post here by Doug, all data in and out of Google is encrypted (including the client SDKs). There is simply no way around this.

Now, you can take this a step further and prevent abuse by configuring App Check which, according to the documentation, provides an additional layer of security against billing fraud and phishing.

However, you will still need to check the authentication token (automatically passed in with onCall functions) to make sure the user is authorized to execute the functions they are calling.

Hydra
  • 950
  • 4
  • 7
  • Thank you. If everything is encrypted how can i see the auth token in the request’s header. I have endpoints, token & data in plain text simply sniffing the network. App check is one month old and checking the token is useless as I can see it clearly and modify requests on the go. – user2206906 Sep 09 '21 at 21:59
  • @user2206906 That's an excellent concern you bring up. I could try to explain it, but thist post does a much better job than I ever could https://security.stackexchange.com/questions/19616/why-is-it-possible-to-sniff-an-https-ssl-request TLDR; A proxy like Charles only works because you've installed it and given it permission to intercept the request – Hydra Sep 09 '21 at 22:46
  • Yea I think I got this, thing is how to explain that my callable are in plain text and for example the request to fetch Firebase Remote Config from iOS SDK is full of strange characters, one is secure, the other one is not. – user2206906 Sep 10 '21 at 07:18
  • This is firebase request's body: https://ibb.co/KFfCXGN and this is my callable function request's body: https://ibb.co/NNyGdkn Both sniffing the network with SSL decryption. Is there a way for me to achieve what firebase sdk does ? – user2206906 Sep 10 '21 at 07:24
  • @user2206906 according to the documentation here https://firebase.google.com/support/privacy all Firebase data is encrypted in transit using HTTPS and here https://stackoverflow.com/questions/63550897/firebase-cloud-functions-tls-certificate?noredirect=1&lq=1 Doug states that cloud functions provide an SSL certificate. Perhaps you haven't configured Charles to proxy the remote config host. This only works because you trusted Charles and allowed it to install a certificate in your browser enabling it to intercept your SSL requests. This can't be done without the user's knowledge – Hydra Sep 10 '21 at 19:36
  • So this can be done by malicious people. If I'm malicious, I can without using my app : - Read data (if rules ok) from rest api (I can read request header, so I have token) - Call functions (because I use sniffing) with for example an id I got from my rest request... This is not secure at all. Plus App check not available for Firestore... – user2206906 Sep 14 '21 at 10:51
  • 1
    @user2206906 You can only sniff your own requests because you have to explicitly allow a proxy to do so. The only way a user would be able to get your token is if they had direct access to your computer. Tokens are refreshed every hour and are verified with the auth servers for authenticity during each request. It is secure. If you have any further questions consider creating a new SO question. If you found my answers useful please upvote and accept it – Hydra Sep 14 '21 at 11:52