How to prevent a user from changing the app code in order to write data to Firestore?

Question

In my app users can read and write data on Firestore.
In the Firestore Database there Is also a "Credit" document for each user where the balance of coins Is stored.
How can I be sure that no One could modify an APK of the app in order to change the balance?
In the app there are some functions that remove some coins from the balance, my fear Is that someone could change the code and add coins instead.

Answer 1

assuming that your app implements firebase authentication to authenticate operations on firestore it's safe to say that your app is compiled with a key and it has an hash.. it's not possible to someone to decompile the app, change the code and recompile it with your key.. so the new "hacked" app will have a different key and hash and firebase authentication will not work and your db will be safe

Answer 2

I think you need to secure the data itself. In your scenario I don't think you can have code in the app that simply writes a value to the balance. You need to create a separate API or firebase function to secure what you are trying to do.

Answer 3

If you want to ensure that only your application code can call Firestore, consider enabling Firebase App Check.

Just keep in mind that:

Using App Check does not guarantee the elimination of all abuse

So you'll want to combine it with other security measures, for example through the server-side security rules that Firebase also offers for Firestore.

Also see:

• Locking down Firebase DB access to specific apps
• How to allow only my app to access firebase without a login?