1

*** update This call reverse engineering. See answer.

Can hackers unpack the Flutter app and convert it to the native file (folder lib) and change code in the lib folder?

For example, some games that are made from Unity can unpack the game file and edit code to hack it.

If it is possible to edit code in Flutter, the hacker can change code to insert, and update, ... the data in firebase.

For example, if the customer buys a product, the flutter will insert order in firebase and update the money balance of the user. The hacker can edit the code about the money balance updating from ...$ to 1,000,000$ (I am rich).

Should we use firebase API on the host instead of firebase on flutter?

This is my opinion and I am new to firebase.

I think that, when Flutter is popular, the program that can unpack the flutter app will come.

*** new example ***

  1. My flutter project have buy.dart.
  2. buy.dart can:
- receive new order object data.
- insert new order in firebase.
- update the money balance(old - product price) of the user.
  1. I build the flutter app from the flutter project.
  2. The user(customer) has the flutter app.
  3. The user uses the program that can unpack the flutter app to flutter project.
  4. After unpacking, the user has the flutter project.
  5. The user edit buy.dart from
- receive new order object data.
- insert new order in firebase.
- update the money balance(old - product price) of the user.

to

- receive new order object data.
- insert new order in firebase.
  1. The user has the flutter project edited.
  2. The user builds the flutter app from the flutter project edited.
  3. The user has the flutter app that can shop without paid money.

These are what I mean. It will happen will someone creates the program that can unpack the flutter app. Or I can add a script like 7. in firebase rules? (the buy.dart will - receive new order object data and - insert new order in firebase then the firebase will auto - update the money balance(old - product price) of the user.)

Sittiphan Sittisak
  • 486
  • 4
  • 15

1 Answers1

1

What you'll need to do is use Firebase Authentication along with Firestore security rules to protect your data at the server, so that users can only do what you say they can do. You will need to design rules that implement exactly what you want to protect.

by authenticating your users and writing security rules, you can fully restrict read / write access to your Firebase data.

Firebase security is enforced by server-side rules, that you author, and govern read or write access to given paths in your Firebase data tree.

Firebase security rules are JavaScript-like expressions: easy-to-write expressions that have access to the credentials for the connection, and the view of the Firebase data tree as it exists, along with pending changes on write.

Nikunj Ramani
  • 324
  • 1
  • 8
  • Thank you for your answer. Can we add script in firebase rules? After customer add order include order id, createAt, ... on firebase . The firebase will run this script that will auto find the price of order by id that received then check and update balance of customer (oldBalance - price). – Sittiphan Sittisak Aug 01 '22 at 07:00
  • At the moment, My flutter will fetch order data by order id then check order price and customer balance then update new balance. That do in the flutter app at some file in `lib`. If the customer can unpack the flutter app to flutter file (then the customer have my flutter project), the customer can change native logic or don't update new balance. – Sittiphan Sittisak Aug 01 '22 at 07:07
  • I add `*** new example ***` in my question. That I think is not about rules except if we can add a script in rules. – Sittiphan Sittisak Aug 01 '22 at 07:32
  • 1
    Hi, I use an invalid word. This call reverse engineering. See answer at https://stackoverflow.com/questions/73192274/flutter-the-flutter-reverse-engineering-makes-using-the-firebase-in-the-flutter?noredirect=1#comment129268405_73192274. – Sittiphan Sittisak Aug 01 '22 at 12:52
  • 1
    I understand now. We can config everything in firebase rules and database design for some fields is secret (in a flutter, we can't fetch specific fields). Although the app was decompiled, the user still can't do anything that conflicts with firebase rules. – Sittiphan Sittisak Oct 12 '22 at 08:36