2

I need some advice on how to properly set up a solid security structure for my app.

What my app does

The goal of this app is to provide a data aggregation service. To do this, the user needs to provide login data for a variety of his accounts.

The user can then trigger a firebase cloud function which performs web scraping with the provided credentials, encrypts the result-data, and stores it to firestore.

Current encryption

Currently, the encryption key is stored in a separate document in the firestore database. The cloud function gets the key, performs de- and encryption, and stores the data as a cipher.

Now I know this is kind of pointless because if someone would hack my Google account, the data would still be readable for him.

Problems

Besides this security flaw, I am facing some other problems.

As long as the described encryption only happens in a cloud function, this may be relatively secure because the cloud functions are isolated. My problem is, that there is no way to perform a database query from the client because:

  1. there is no "onRead" cloud function, in which I would decrypt the data before sending it to the client
  2. decrypting the data on the client would expose the encryption key to potential hackers (at least that's what I am thinking at the moment)

Conclusion

I have decided to try GCP's KMS which seems to be the solution to all of these problems. However, I am overwhelmed by all these new terms and most of the resources I found seemed outdated.

Closest I came was this post: http://www.geero.net/2017/05/how-to-encrypt-a-google-firebase-realtime-database/ but since it's from 2017, it seems to be outdated (As far as I understand from this answer)

So I am a bit lost on where to start, what to use, and how to manage responsibilities.

Questions

  1. Is it possible to create a secure client-sided decryption with KMS? If not, how should this get handled?

  2. How do I implement KMS with firebase and firebase cloud functions? (Any pointing in the right direction would help)

  3. Do you recommend using this package for the cloud function implementation: https://www.npmjs.com/package/@google-cloud/kms

  4. Did you spot and other security flaws than those I mentioned?

  5. Do you have any additional advice?

Thanks in advance!

Christian
  • 834
  • 7
  • 18
  • It's not possible to do what you want "out of the box". If you're not pressed for time you can [request this feature](https://firebase.google.com/support/troubleshooter/report/features) and wait. – Wojtek_B Oct 04 '21 at 12:12
  • Unfortunately I can't wait. Do you know of a workaround that you could recommend? – Christian Oct 04 '21 at 12:47

0 Answers0