I'm developing a mobile app using Firebase and its email authentication feature. I found that there are some unknown sign up with email with 21cn.com domain even though I'm not publishing the app yet. It seems like these email addresses are related to this website(https://mail.21cn.com/w2/).
Is there a way to prevent these unknown signup from outside or how can I improve the project safety?
I was looking around even in my projects and it is not possible to audit who and/or how added the accounts for Firebase Auth (not even in the Activity logs in the GCP Project associated with your Firebase Project)
So, if you don’t know those accounts, I’d suggest deleting them. Also, if the app is not yet published, maybe someone else (if more users are implied in the project) added those accounts directly to Firebase Auth.
Also you may want to change the password of your account.
In general the security of the Firebase Console is up to you.
Related
I am trying to figure out a problem I currently have. I have a software platform where restaurant owners can make and publish their own mobile apps. Menu access, reservation control, etc etc. I am using Firebase as my backend.
For each restaurant app I make, requires a customer login. The problem is that the customer can download another app from my restaurant client and has the ability to log in with the same credentials because I am using the same Firebase project for multiple apps, under the same company.
This is not what I want.. can I make multiple instances of Firebase Authentication? Or when the user registers, do I hardcode the username and password into the database, and check that, upon registration and signing in? If I did that, I would lose the power of third party log ins.
Please let me know of any ideas you guys might have..
Thanks!
Jorge
Firebase Auth can't have multiple instances per project. You would need to create multiple projects to in order to get more instances.
However, what you're talking about could be called "multi-tenancy", where you have multiple organizations each sandboxed from each other in a single project. For that, you will need to adopt Google Cloud Identity Platform and work with it using the Firebase APIs as described by the documentation.
I developed an app to test the google login feature using flutter and google authentication. The project is a closed project and only I have access to it. But recently I saw that there was a google sign in from an unknown Email ID. How did the user login without the build of my app? Has my account been hacked? What is going on?
Anyone with knowledge of your project's API Keys can access your Firebase Project using simple CURL Commands.
This is why it's a good idea to add restriction to those API Keys
In case you haven't, go to https://console.cloud.google.com and
Select your project
Click the menu icon at the top left (hamburger icon)
Go to API & Services and then credentials
You can view the APIs for your Google Cloud Project (linked to your Firebase Project) and then set restrictions for the API keys, refresh them or restrict access to specific platforms like Android or iOS.
You can also set restrictions on which components of Firebase the API key is allowed to access. For example, if your project doesn't require the use of Cloud Firestore, you can ensure that the API Key cannot be used to make calls to the Firestore Database
All said and done, I would still recommend that you shoot a mail to the Firebase Support team at https://firebase.google.com/support/troubleshooter/contact
To anyone still wondering about this:
If you provide a native google sign in and the registered
email adresses look like this:
karolynmccorkle.91842#gmail.com
normabrock.69306#gmail.com
guillermogeorge.53163#gmail.com
kylegomez.35423#gmail.com
opalbarrett.09499#gmail.com
they are probably test accounts used to generate Google Plays Pre-Launch reports.
You can read about it in the Play Console Help here.
If your app has a sign-in screen and you want the crawler to test the
sign-in process or the content behind it, you need to provide account
credentials.
Note that you do not need to provide credentials if your
app supports "Sign-in with Google,” which enables the crawler to log
in automatically.
I need to see not total number of user. i only want them who are currently active (not signed out user) to my app through email and password. I want to see it from firebase console. help me please.
The Firebase Console doesn't show the number of users that are currently signed in to Firebase Authentication.
If you want to know how many users are actively using your app, you'll have to build something yourself.
Gaurav's comment about using an Analytics tool is a good hint. Even though Firebase's analytics SDK isn't available for the web, there are other analytics tools out there that would allow you to track the number of active users.
Another way is to write some information to a cloud database each time a user takes an action in your app. Then you can query that database to determine how many unique users recently took actions. That is actually pretty much what most analytics packages to. :)
A final option would be to use the Firebase Realtime Database's presence system, which uses a more active approach to detect how many users are currently connected to the database.
I want to develop an Ionic app for android and ios using firebase backend.
Requirement:
1. I want to use anonymous authentication silently so that user does not have to be worry about login.
2. I just want to display list of some items on the home page using Firestore api.
Question/Problem:
1. How does firebase will get to know that only the my app using the firestore get api.
2. If I am storing api credentials/secrets in my android app and if other user somehow knows these credentials, will that person be able to use api on behalf of my credentials and I will not be able to track the usage.
Top Level:
If someone know my firebase api credentials/secrets, will that person be able to utilize my firebase quota in case I am using firebase anonymous authentication.
Thanks in advance.
The settings you use to initialize the Firebase SDK are not "secrets". It's all very much public information that identifies your app from all the other Firebase apps out there. Every Firebase app has a similar set of public data. Once you publish your app, you should assume that everyone is able to see that data.
This means that anyone can use that data. That's why it's important to use Firebase Authentication along with security rules to make sure that people logged in can only make use of whatever resources you specify. That's the only way to lock down the data in your Firebase project. If you are concerned about security, then you should be thinking about your security rules from the very beginning.
I have a Firebase app, and I want to know if it's possible to restrict a Firebase Console user to access only to the "Authorizations" tab. (to CRUD users). The access must be by the Firebase (regular) Web Console
Especially, I don't want the user to see the database data via the web console. Is that possible? I've managed to give him access to the entire project, and he can do anything I can do (is an Admin).
I haven't found nothing about this in the docs / searching.
firebaser here
Collaborators on a project currently have access to the entire Firebase Console. You can limit to having read-only access, but you currently can't limit what panels they have access to.
We've heard the request before and know this would expand the usefulness of the Firebase Console. I recommend that your file a feature request, to add your vote.