Firestore and data encryption in Flutter - firebase

Tl;dr.. I'm making a todo app where I store data in Firestore, and I don't want anyone to see it not even the devs from firebase console. I found many encryption pkgs that do the job, like: encrypt. My problem is how to I handle the 'encryption key'. I don't want to keep it local because in my app user can access it's account from different devices, so if the key is stored locally they cannot decrypt thus retrieve their data (notes) from the other device (i hope this makes sense). So, do I send the 'encryption key' to firestore in a seperate collection or ... how should I approache this ?

You could store the key with Firebase Remote Config and retrieve it in the app when you need it.
Firebase Remote Config is a cloud service that lets you change the
behavior and appearance of your app without requiring users to
download an app update. When using Remote Config, you create in-app
default values that control the behavior and appearance of your app.
Then, you can later use the Firebase console or the Remote Config
backend APIs to override in-app default values for all app users or
for segments of your user base.
Check out the documentation for the flutter_remote_config plugin.

Related

Flutter get User Data from Firebase

I want to get User Data from firebase, I need the diplayName of a User. is there any way to get the displayName of a other user with his uid?
There is no way to look up information about another user in Firebase Authentication by using the client-side SDKs of Firebase, as that would be a security risk.
There are two common ways to allow searching the users in a secure way:
Write information about each user to a database (such as Cloud Firestore or the Realtime Database) when they register, and then search the database when needed. That way your code controls what data gets written and thus is searchable.
Firebase has Admin SDKs that run in trusted environments, such as your development machine, a server you control, or Cloud Functions. These SDKs have options to list users, which means you can search them. If you wrap one of the Admin SDKs in a custom API that you build and secure yourself, you can then call that from your Flutter code.
Also see:
React native firebase authentication searching
You can't get the name, or any other details of a user that is not currently signed in using FirebaseAuth.
Instead, you must create a node in your database where you store the name, and any other necessary details by querying the database.

Firebase Firestore not showing documents created by my flutter application

I was able to configure the Firestore database in Firebase with my flutter app and also create and read documents from my collection but when I go to Firestore console I don't see the created data, also when I creat data manually I am unable to see it in my application.
I am using the test mode which means any user can read or write.
I hope someone can help me with this puzzle.
Thanks!!!
It sounds like the device/emulator that you are running on is not connected to the internet, or at least not to the Firestore servers. In that case, the client writes all local changes into a local database, waiting to send them to the server when it gets a connection. So the local app will work, but won't be able to synchronize its local cache with the database servers.
You might want to check the connection on your device, and any proxies that might exist between your app and the Firestore servers.

I just deleted my app from firebase console , but it is still working and changing data in the realtime database

I just deleted my flutter app from firebase console , but it is still working and changing data in the realtime database.
Can anyone tell me how its still connected with the firebase?
Thanks
According to Firebase documentation, when you delete an app:
Corresponding API keys or OAuth clients are NOT deleted. You can clean
up the API keys or OAuth clients in the Google APIs console
credentials page. Deleting these resources will break installed
applications: your users will no longer be able to authenticate or
sign in.
Access to the realtime database is not limited to apps that are registered in the Firebase console. Any code that has the proper configuration for your database, can try to access that database. If you want to be more selective in who can access the database, you will need to do this with Firebase's server-side security rules, typically in combination with Firebase Authentication.

Can Firebase Database be set up to host data for 3rd party client? (e.g., analytics service)

Is it possible to set up Firebase to allow Auth/DB access into a common/shared database instance - where that instance is setup to be a centralized storage location for some 3rd party service?
For example, let's say there's an analytics service called StackOverflowAnalytics.com .. and so anyone who signs up for that service, can add tracking to their app with some secret user key. And then all the tracking for that Key is pushed to the same Firebase DB instance. And then the user can login via Firebase auth and the rules will restrict that they can only access the node for their Key.
I'm working on a 3rd party analytics client for Android - along the lines https://mint.splunk.com - where I would like to provide users a small Java/Android library they can add to their Android project, and this will help them track different data points while their app is running. The data is made accessible by saving it to the cloud from the device.
I am currently using Firebase, but it seems in order for the Firebase Auth & DB of a given Firebase instance to be accessible - the "specific app signing key" (package name/etc combo) needs to be set in the console for that Firebase instance.
It seems sharing across across unknown apps is not possible on Firebase. And that if I want to support something like that with Firebase (and not have to go to another cloud storage option), then I need to set up some proxy REST client .. like in Java or PHP .. that can serve as a centralized access point to that Firebase instance. Just wanted to check with other folks first in case this has been encountered and perhaps there are best practices already established around this particular case. Thanks
Firebase client libraries are generally not meant to be repackaged for use in other libraries. They're meant to be used at the app level.
A unique SHA-1 key is required on Android for Authentication to work with a particular app identified by package name. This requirement will definitely become a problem for you if you want this to work with arbitrary apps, since you would have to manually enter one for each app that wants to integrate.
As far as I know it's not possible to do what you want without creating a proxy, as you mentioned. I assume that firebase has some app validation that make unfeasible to share the Auth/DB.
Maybe a solution for you is to make a proxy too to access data:
"It looks like in order to access Firebase Analytics data, you export it to BigQuery. This is working for me and is automated."

Can somebody get Firebase credentials from my apk and use them?

Can somebody else get the Firebase credentials from my APK and use them? Is this prevented by adding the SHA-1 keys for Android?
If it is prevented, what do I need security rules for since only code from my app with my SHA-1 can manipulate database at all?
If it is not prevented, can somebody else use my Firebase database as long as his requests fit the security rules? (Write 2nd client, which actually cannot do bad things but should not be allowed at all.)
Im not sure how I should think about security rules:
A) Protecting data against access and manipulation from bad guys + B?
B) Just a set of rules to keep data in a certain state and prevent my software from doing invalid database request?
A Firebase Database can be accessed via the REST API, or any of the client libraries. The decision about whether a client can or can't do something is entirely based on the rules.
You can even just access the Database URL in a web browser and see a JSON response by putting .json on the end, e.g. https://[YOUR_PROJECT_ID].firebaseio.com/.json
So the answer is definitely B! The default rules in a new Firebase project are that read and write to the database require auth, but you can configure them to provide whatever levels of protection you need.
Take a look at the Database Rules quickstart to see what you can do!
We don't ship the Realtime Database secret (or any other "secret" material) in the json file that gets baked into your app. That file simply contains resource identifiers that allow us to know which resources (database, storage bucket, analytics, etc.) to properly authenticate to (we use Firebase Authentication for these purposes), and we handle server side authorization to ensure that users are properly logged in.
If you are authorizing your requests properly (using Firebase Realtime Database Rules, for instance), your data is secure!
I'd recommend watching The Key to Firebase Security, one of our I/O talks, which talks in greater detail about how this works.
firebaser here
Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to your Realtime Database to only those coming from iOS, Android and Web apps that are registered in your Firebase project.
You'll typically want to combine this with the user authentication based security that Mike and Ian describe in their answers, so that you have another shield against abusive users that do use your app.

Resources