0

Disclaimer: I am new to mobile app development and have little to no knowledge on authentication systems

Normally, when my mobile app makes https calls to my backend server, I know that I cannot trust that these calls to my server came from my app, as anyone can make https requests to my backend server. Even if I give the app a secret key, it is still possible for a hacker to obtain the key and include it in https requests. Therefore, I will not allow https requests to accomplish whatever it wants on the server; rather, I will limit the request to doing only what a user can normally do with their own data – delete their OWN posts, edit their OWN profile, and so on.

Does Firebase work the same way? I saw this StackOverflow thread regarding OAuth consumer secrets, and how they can be compromised and used to imitate a mobile app.

Is this also the case for Firebase?

Can a malicious user theoretically obtain whatever keys/secrets Firebase gave to my mobile app, and use that to emulate requests from my app to Firebase? For example, could they create new users and cause de-syncing issues with my own backend database?

If so, how can I prevent it?

Thanks.

Nathan Tew
  • 432
  • 1
  • 5
  • 21

1 Answers1

0

Does Firebase work the same way?

Firebase works in whatever way you program it. Normally you do not put private keys in software that you distribute to end users. The recommended approach is documented very well - use Firebase Auth ID tokens to indicate who is making the call, and use code on your backend to figure out if they should be able to do the work they are requesting. This is what happens with direct database access from your app, but you have to write security rules to protect data according to your requirements.

If you are passing tokens yourself to your own backend, it is up to you to revoke any refresh tokens that you find to be compromised. You cannot fully stop hackers from compromising a system that stores user tokens on devices that you don't control. All you can do is make it hard for them to do so.

Can a malicious user theoretically obtain whatever keys/secrets Firebase gave to my mobile app

Yes, that's why you don't put secrets in code that you distribute to end users. The Firebase config that you're asked to add to your app is not considered private.

See also:

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • So am I right to say that the only "secrets" stored on the client device is their own ID token and refresh token, and so my backend should be written such that anyone in possession of these information should only be allowed to do what a normal user should? – Nathan Tew Oct 09 '22 at 03:29
  • Also, about the thread linked in my original question, is the Firebase apiKey essentially equivalent to the "OAuth consumer secret" that my linked thread discusses? – Nathan Tew Oct 09 '22 at 03:41
  • No, there is nothing "secret" about that. Please read the last link in my answer. – Doug Stevenson Oct 09 '22 at 03:55
  • I'm not saying that the Firebase apiKey is "secret", I get that you can't do much with it on its own. I did read your link. I'm asking if the considerations discussed in the thread I linked (considerations about the consumer secret) can be applied to the apiKey, which seemed to say that this consumer secret can actually be exposed as long as the user access token (i.e. the Firebase's refresh token) is kept safe (which sounds like the discussion in your link). – Nathan Tew Oct 09 '22 at 04:48
  • "Safe" is a debatable term. Data stored on consumer devices are only as safe as the consumer makes the device safe. There are a number of ways of tricking or forcing the consumer to give up their hardware or data. Firebase does what it can to make that difficult, but nothing is certain. – Doug Stevenson Oct 09 '22 at 12:39