0

I am building flutter mobile app that is intensively using firebase services and firestore. in app start, the app communicates with firestore to retrieve some basic keys and paramaters that app uses in different services, like APIs Keys, IDs, .. etc.

would like to understand if this approach is secure enough? or there is a possibility that communication (firestore query) to be hacked somehow and the keys are stolen?

Note: I am using simple firebase rule that allow read and write if user is signed in using Firebase Authentication

I can indeed hardcode these keys in the app code, however I prefered this database approach to give myself the chance to change these keys if it is changed by the services providers for any reason.

any answers or links are much apprecaited.

Mark Nugromentry
  • 195
  • 2
  • 10

1 Answers1

1

You should assume that any value used inside your client-side application can be found by a malicious user and used for their own purposes.

Once someone has those keys, they can call the APIs that require them differently than what your own application code does, unless you use some other means to prevent this such as Firebase's security rules and App Check.

When using security rules, the best way to prevent somebody from doing something different from your application's use-cases is to encode those use-cases in the security rules too. So instead of just requiring someone to be signed in, expand your rules to validate that only the operations that your own code requires are allowed. Use-case by use-case lock it down, until your cod and rules cover the same set of use-cases.

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks Frank. Understood. I guess with Appcheck and security rules it will be secured from Server side (limit who can retrieve these data). Still not very sure about the client side (the flutter app). May be it is more into flutter security now, would like to know more on how to secure the code itself. If any documentation or reference answers would be great. Thanks again – Mark Nugromentry Dec 14 '22 at 15:47
  • 1
    Any data that reaches the app should be presumed to be accessible to anyone with access to that device. If that is not acceptable for your use-case, you can either implement end-to-end encryption or should look for a system that does that for you. – Frank van Puffelen Dec 14 '22 at 16:55
  • I am still trying to understand this part. Why this assumption. Is that because of a probability of jacking the “code” itself? Or the App communication with firestore. – Mark Nugromentry Dec 14 '22 at 20:09
  • Because If first one (app code). Then encryption will not help because the app will have the encryption key. So still in the same issue. – Mark Nugromentry Dec 14 '22 at 20:11
  • Fair point --- – Frank van Puffelen Dec 14 '22 at 21:18