As Firebase supports bundle feature for the Firestore data. To make this bundle work for all users, it has to be a public file or public endpoint so that cache will work.
https://cloud.google.com/storage/docs/caching#built-in_caching_for
How to encrypt these bundle files? So that if someone knows the bundle file URL then they must have to decrypt the data to load/read the bundle.
I already contacted Firebase support. But this is the reply from them:
There is nothing built into Firebase to end-to-end encrypt the data in Firestore bundles. But since they're just a file, you can apply any encryption scheme you want on them, as long as you can decrypt it on the device where you will then feed the data into Firestore through its API.
Since we can't recommend any specific encryption mechanism here, I recommend doing a search for an API for encrypting/decrypting files.
Related
Using Google Firebase Functions as a backend of the small application.
Functions are accessing to the Firestore and Realtime database, therefore they need service account credentials file.
On the other hand, I'm trying to automate the deployment of the functions using Github Actions.
Currently I places the credentials file inside the repository. I know that it's not secure.
What is the proper way of storing service account credentials file in this case?
Firebase projects, are, in effect, Google Cloud Platform projects.
More specifically, when you create a Firebase project, an associated Google Cloud Platform project is created for it.
Therefore the process for storing credentials is the same as in Cloud Platform, which is to say in a file, somewhere relatively safe.
This file should be accessible to your Function if it is required, and should either have its path specified as part of an environment variable or explicitly declared in code.
You are already storing it the proper way, because the improper way would be to insert the contents of the JSON file directly into code.
To prevent others from seeing the contents of the JSON file, simply set the respository as private.
I am using firebase and my backend API to get data for my APP.
The api requires a GCP key from access. This key expires every 90 days. So, I cannot store the key in the client/phone.
Need some ideas of where can I store the key.. I tried Firebase remote config and it works but the Firebase documentation said that sensitive data should not be used .
Creating a backend service that return the keys will not be secure as anyone can call the service,,
Need some suggestion. Is Firestore/Realtime database an option. The app will only read the data. However when the data changes(new keys) the App should get the latest.
Thanks for any suggestion
While distributing a private API key to the app at runtime through a mechanism like Remote Config, or a cloud database, may reduce the risk of it being intercepted, it is not enough to deter a sufficiently motivated malicious user. That's why the Remote Config documentation recommends against it, and the same applies to other distribution mechanisms (such as the databases you mention).
If this is a private API key, you should not use it in client-side code, period. That's really the only solution. When you use it in client-side code, a malicious user may get access to it and then abuse the backend service that is protected by the private API key.
Private API keys should be kept private, and only be used in a trusted environment (such as your development machine, a server you control, or Cloud Functions). When you allow users of your app to make calls through that private environment (by defining your own API for them), you will have to secure that end point yourself to ensure only authorized users can access them.
I can't see much online as to whether it's possible to upload data to Cloud Firestore via Windows Powershell, I know you are able to upload data to the Realtime Database fairly easily, but is this possible for Cloud Firestore?
I need to be able to authenticate a user for upload to follow the database rules and upload rather than using the service account key?
Thanks for any answers or advice you may be able to provide me with.
If you are asking if there is a similar mechanism as the Firebase CLI for reading and writing data to Firestore as there is with Realtime Database, the answer is no, there is no provided tool for that. It currently only provides a mechanism to delete data.
You are certainly free to write your own program using the JavaScript client libraries, which have limited support for Firebase Auth and Firestore on nodejs. You can then invoke your program on the command line. You could also use the REST APIs for both products to write something in any language you want.
Can somebody else get the Firebase credentials from my APK and use them? Is this prevented by adding the SHA-1 keys for Android?
If it is prevented, what do I need security rules for since only code from my app with my SHA-1 can manipulate database at all?
If it is not prevented, can somebody else use my Firebase database as long as his requests fit the security rules? (Write 2nd client, which actually cannot do bad things but should not be allowed at all.)
Im not sure how I should think about security rules:
A) Protecting data against access and manipulation from bad guys + B?
B) Just a set of rules to keep data in a certain state and prevent my software from doing invalid database request?
A Firebase Database can be accessed via the REST API, or any of the client libraries. The decision about whether a client can or can't do something is entirely based on the rules.
You can even just access the Database URL in a web browser and see a JSON response by putting .json on the end, e.g. https://[YOUR_PROJECT_ID].firebaseio.com/.json
So the answer is definitely B! The default rules in a new Firebase project are that read and write to the database require auth, but you can configure them to provide whatever levels of protection you need.
Take a look at the Database Rules quickstart to see what you can do!
We don't ship the Realtime Database secret (or any other "secret" material) in the json file that gets baked into your app. That file simply contains resource identifiers that allow us to know which resources (database, storage bucket, analytics, etc.) to properly authenticate to (we use Firebase Authentication for these purposes), and we handle server side authorization to ensure that users are properly logged in.
If you are authorizing your requests properly (using Firebase Realtime Database Rules, for instance), your data is secure!
I'd recommend watching The Key to Firebase Security, one of our I/O talks, which talks in greater detail about how this works.
firebaser here
Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to your Realtime Database to only those coming from iOS, Android and Web apps that are registered in your Firebase project.
You'll typically want to combine this with the user authentication based security that Mike and Ian describe in their answers, so that you have another shield against abusive users that do use your app.
I really enjoy using Firebase, and I would like to use it in a new app, but the app would have the user upload sensitive information.
I know Firebase uses https, but looking around, it seems Firebase does not yet make encryption at rest available.
Is there a way around this to use Firebase and still make an administrator unable to read the data from the Firebase Forge, for instance?
Thank you.
If you encrypt all data that you store in Firebase with a key that is only known to the client, it will not be readable by anyone but that client.
Update (20160528): As of a few months ago all data for the Firebase Database is also encrypted at rest.