2

I have built an app (Android/iOS) using Flutter that allows its users to configure the app to receive a daily notification. Users can also submit a textfield. There is no requirement for users to register and authenticate.

I am using Firestore to store data from the app.

I have architected the app so that the Firestore rules allow any access:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

To prevent anyone accessing my app's Firestore instance, I have implemented App Check, and Enforcement is enabled.

I have begun to get messages from Google '[Firebase] Your Cloud Firestore database has insecure rules'.

Can anyone advise:

  1. Should I ignore the warnings from Google?
  2. Must I implement user registration and authentiation when it's not necessary for the app?
  3. Should I architect my app in a different way?
  4. Should I do something else?

Thanks,

Luke

Luke
  • 1,149
  • 1
  • 7
  • 15
  • 1
    While App Check is a great tool in reducing abuse, it is not foolproof. Ask yourself this: if any malicious user can wipe your entire database with a pretty simple script. Is that an intended use-case? If not, your security rules should prevent that. See https://stackoverflow.com/questions/73184569/no-need-for-firestore-rules-with-app-check-in-enforcement-mode/73184982#73184982, https://stackoverflow.com/questions/68756032/does-firebase-app-check-discard-the-need-for-implementing-security-rules and https://stackoverflow.com/q/67948531 – Frank van Puffelen Aug 10 '22 at 14:51
  • 1
    Thank you Frank. I have now created a rules set that restricts what data can be added, and which documents can be deleted. This adds some additional restrictions that will reduce the malicious damage that could be done with my database. – Luke Aug 12 '22 at 13:14

1 Answers1

2
  1. Should I ignore the warnings from Google?

Ignoring the warning is not recommended as it may cause security issues.

If you're allowing anyone to access database, then they can take advantage and modify, or delete your data. And your database remain unsecured

2.Must I implement user registration and authentiation when it's not necessary for the app?

If it is not necessary for authenticating user for your application then you can apply some validation rules to restrict certain database nodes or you can permit role based access. In this way you can reduce security issues.

@samthecodingman has given excellent details about number of ways to tighten up database to prevent security issues in similar thread

Roopa M
  • 2,171
  • 4
  • 12
  • Thank you Roopa M. I have now created a rules set that restricts what data can be added, and which documents can be deleted. This adds some additional restrictions that will reduce the malicious damage that could be done with my database. – Luke Aug 12 '22 at 13:14