0

Please could I ask for a bit of advice.

I have an app that does not require users to create accounts and does not use authentication. The app stores settings in Firestore.

To secure Firestore, I have set-up App Check and set into enforcement mode for Firetore.

I assume that Firestore is now secure and I don't need any Firestore rules.

Is that correct?

Luke
  • 1,149
  • 1
  • 7
  • 15

1 Answers1

0

App Check is not a replacement for writing security rules, but rather the two are complementary. While App Check is a great deterrent for abuse, a sufficiently motivated malicious user may still be able to bypass it.

That's why it's recommend to combine App Check for broad protection against abuse and security rules for fine-grained control of who has access to what data.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks for the reply. What security rules would you recommend I use if I don't require users to create accounts and authenticate? – Luke Jul 31 '22 at 20:22
  • That seems like a different question Luke. --- In general: don't focus on what you don't need, but instead make sure that your security rules allow exactly what your code does, and nothing more. --- If you need to allow something per-use but don't want the user to have to enter credentials, have a look at anonymous auth: https://firebase.google.com/docs/auth/flutter/anonymous-auth. --- If you have more questions, open a new question with enough details on exactly what you do, and where you are stuck. – Frank van Puffelen Jul 31 '22 at 21:32
  • Hi Frank, my app has a feature that allows some text to be submitted. I don't need to capture the name of the user submitting the text. I just want to prevent access to Firestore from anything other than my app. I thought that was what App Check did? – Luke Aug 01 '22 at 09:29
  • App Check reduces abuse, but is no guarantee. From the [docs](https://firebase.google.com/docs/app-check#how_strong_is_the_security_provided_by): "App Check relies on the strength of its attestation providers to determine app or device authenticity. It prevents some, but not all, abuse vectors directed towards your backends. Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your backend resources." – Frank van Puffelen Aug 01 '22 at 14:56
  • Thanks Frank. That's good enough for me. I am not storing personal, sensitive data in Firestore. – Luke Aug 01 '22 at 15:57