I am bit confused about firebase security rules. Do we need to write firebase security rules only for websites or should we write it for mobile apps also. I am trying to build a mobile app. Do I need to use firebase security rules (firebase is my backend) for my mobile app or is firebase security rules only for websites and is not required to write it for my mobile app. Please clear my confusion.
Security rules save your data from being Update/Read/Write/Delete by unauthorized user, they are not web or app specific they are globally applied on you database (Firestore or Real Time Database) and Firebase Storage).
for more please check https://firebase.google.com/docs/rules/
Related
I want to secure my own custom API for my Flutter app.
I came across Firebase App Check, but I do not want to use Firebase.
Can I use Firebase App Check without a Firebase project? It seems to like there is not Firebase involved. Only other app attestation services. https://firebase.google.com/docs/app-check/flutter/custom-resource
Do I need a Firebase project to use Firebase App Check?
Yes.
It seems to like there is not Firebase involved. Only other app attestation services.
Firebase is not an attestation provider but it uses others providers and it's a bit easier to integrate those providers using Firebase SDK than directly using them. e.g reCAPTCHA v3 for web apps.
Once you integrate the Firebase App Check SDK in your Flutter app, you'll have to get the App Check token using getToken() and add it in your API request. Then you just need to verify the token in your backend using the Firebase Admin SDK.
I have a security issue with Firebase.
I want all users to be able to update their data in a Firebase database from a flutter app but only after some app verification, payment for example. so I don't want them to be able to write data except through the app process and I have no idea how to separate the app user who has the right after verification and the one who doesn't and just knows the address of the database.
To summarize, how can I be sure a request is from the flutter app and only grant access if it's the case ?
I'm wondering if it's possible for me to access a user's private database on the Development schema as the app developer. I'm just testing locally on my devices, but I need to be able to inspect the records of devices not associated with my developer account for debugging purposes.
Thanks so much!
The only way to do this is to sign in to the CloudKit Dashboard with that user's Apple ID. Their data is otherwise private.
Alternatively, you could create a mechanism in your app that pushes a user's data to the Public database of your app for help/troubleshooting purposes. That data is visible to you there as the app developer and you could download and inspect it.
I'm using MAS with a Node.js app and a hybrid (not ios8 native) mobile application. I can make authenticated calls to my Node.js server, but I'm noticing that I have nothing showing up in Analytics. Is there a reason for that?
Have you tried clearing your iPhone's keychain? There can be some issues with Bluemix analytics due to lingering stale keychain data. Check out this SO question for code to clear the keychain.
I have read the secure coding guide provided by Apple. I am looking at developing a financial application. What are the best methods to authenticate the user? Are there any specific guidelines for finance applications (relating to security) given by Apple?
Just generic wisdom:
Don't store the password in plain text. Although the typical user can't access files inside of an iPhone, a jailbroken iPhone has full root access and will be able to peer inside the bundle, and can easily read a plain text file called "userPass.txt." Instead, use the iPhone's keychain to store logins and passwords.
As evidenced by PayPal's iOS security blunder that just happened, be sure to use a secure HTTPS connection when authenticating to a server. Someone packet sniffing on an open WiFi network is able to exploit the current iOS PayPal app and get credentials out of the air.