I really enjoy using Firebase, and I would like to use it in a new app, but the app would have the user upload sensitive information.
I know Firebase uses https, but looking around, it seems Firebase does not yet make encryption at rest available.
Is there a way around this to use Firebase and still make an administrator unable to read the data from the Firebase Forge, for instance?
Thank you.
If you encrypt all data that you store in Firebase with a key that is only known to the client, it will not be readable by anyone but that client.
Update (20160528): As of a few months ago all data for the Firebase Database is also encrypted at rest.
Related
I can't see much online as to whether it's possible to upload data to Cloud Firestore via Windows Powershell, I know you are able to upload data to the Realtime Database fairly easily, but is this possible for Cloud Firestore?
I need to be able to authenticate a user for upload to follow the database rules and upload rather than using the service account key?
Thanks for any answers or advice you may be able to provide me with.
If you are asking if there is a similar mechanism as the Firebase CLI for reading and writing data to Firestore as there is with Realtime Database, the answer is no, there is no provided tool for that. It currently only provides a mechanism to delete data.
You are certainly free to write your own program using the JavaScript client libraries, which have limited support for Firebase Auth and Firestore on nodejs. You can then invoke your program on the command line. You could also use the REST APIs for both products to write something in any language you want.
I am learning Flutter by following Codelab Firebase Tutorial and developing test Android app almost similar to this. Users save their baby name and others vote their favorites which updates Votes count in database. Based on this, I have few questions related to Firebase Security.
App does not currently have any Firebase Authentication. Is it necessary to have Firebase Auth seeing users who will just vote does not need to have any kind of registration.
Can someone decompile my app and get google-services.json file? If yes, will that allow them to use this file in their app and mess my database?
How much secure is my app from non-users like I mentioned in above point if I do not include firebase auth and keep security rules to default (read, write all)?
Apologies, If I failed to convey my point properly as I am still in learning stages of App development.
You must be using Firebase Authentiction if you want per-user read/write restrictions. If you aren't using it, you can only restrict what anyone in the world can do with public access.
Yes, anyone can get the values from your google-services.json file. They are added to your app as string resources. No, it doesn't allow anyone to access everything. What you're asking here is very common, try doing some searches for that. For example this.
If you use security rules that allow all read and write access, anyone with an internet connection will be able to read and write your database. This is not really acceptable in most cases.
I want to login using custom auth endpoint in firebase admin.
For example using email and password.
http://firebasefunctionsaddres.com/loginUsingEmail
So from client I want to make request with email and password(and maybe some other info) and on firebase functions side (maybe save some data to firestore) and response with auth token.
Is it possible?
I personally didn't use the auth token, because I found an easier approach by using Firestore and just storing the user information there. It is a very simple database to use. No queries, it works just like a JavaScript Object!! And encrypt/hash the password of the user by using something like MD5, or SHA 256 before storing it!!
Here is a link to the JavaScript Firestore Documentation that'll teach you to store and retrieve data (it works super fast): Firestore JavaScript Docs
Also in this way, you have to load less Firebase Resources and all user data is stored in one place! I really like the simplicity of Google Firestore! (In my opinion, soooo much better than PHP and MySQL!)
What I want is to perform rest requests to Firebase Realtime Database from my esp8266 with micropython firmware without complex authorization process.
I know that I can turn off authorization at all in the rules but I'd prefer to have at least some basic security.
Can't I just use my Web API Key for this purpose?
Here is a doc which tells that there are 2 ways of authentication: oauth2 and generating key manually. Second way seems almost what I need but it requires setting up Admin SDK and as far as I understood still requires regenerating the key from time to time.
So eventually I have no answer to a simple question: how to authenticate rest requests to the Firebase Realtime Database in the most simple way?
The same page you linked to contains a section on using legacy tokens (also known as "database secrets" in the past). While those are not recommended anymore, they continue to work and are as simply as adding the (non-dynamic) database secret to your URLs.
I suggest you read the links at the bottom of the documentation. But I do recommend that you switch to using the OAuth or ID Token flows as those are much more secure.
Can somebody else get the Firebase credentials from my APK and use them? Is this prevented by adding the SHA-1 keys for Android?
If it is prevented, what do I need security rules for since only code from my app with my SHA-1 can manipulate database at all?
If it is not prevented, can somebody else use my Firebase database as long as his requests fit the security rules? (Write 2nd client, which actually cannot do bad things but should not be allowed at all.)
Im not sure how I should think about security rules:
A) Protecting data against access and manipulation from bad guys + B?
B) Just a set of rules to keep data in a certain state and prevent my software from doing invalid database request?
A Firebase Database can be accessed via the REST API, or any of the client libraries. The decision about whether a client can or can't do something is entirely based on the rules.
You can even just access the Database URL in a web browser and see a JSON response by putting .json on the end, e.g. https://[YOUR_PROJECT_ID].firebaseio.com/.json
So the answer is definitely B! The default rules in a new Firebase project are that read and write to the database require auth, but you can configure them to provide whatever levels of protection you need.
Take a look at the Database Rules quickstart to see what you can do!
We don't ship the Realtime Database secret (or any other "secret" material) in the json file that gets baked into your app. That file simply contains resource identifiers that allow us to know which resources (database, storage bucket, analytics, etc.) to properly authenticate to (we use Firebase Authentication for these purposes), and we handle server side authorization to ensure that users are properly logged in.
If you are authorizing your requests properly (using Firebase Realtime Database Rules, for instance), your data is secure!
I'd recommend watching The Key to Firebase Security, one of our I/O talks, which talks in greater detail about how this works.
firebaser here
Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to your Realtime Database to only those coming from iOS, Android and Web apps that are registered in your Firebase project.
You'll typically want to combine this with the user authentication based security that Mike and Ian describe in their answers, so that you have another shield against abusive users that do use your app.