I am developing an app on unity3d and using firebase realtime database for user info and stats. The users need to authorize (via google) to read/write data to database inside the app. Since, users do not know the database address, which is embedded inside the app, do I still have security problem? If yes, what should I do? I do not want any user to change their own stats :)
Yes you still might have a security problem. Security by obscurity is not true security. It is still possible for people to snoop network traffic away from your app to get the address of the database. The firebase way of solving this is via Database Rules configured in the console/CLI. Making it so users cannot change their own stats will depend on how your app is structured and who IS allowed to change them. In any case, this can be expressed in Rules as well.
Just you have accessibility to database and its rules. Users just can read and write and change their data and they can't change another one's data.
Related
In my app users can read and write data on Firestore.
In the Firestore Database there Is also a "Credit" document for each user where the balance of coins Is stored.
How can I be sure that no One could modify an APK of the app in order to change the balance?
In the app there are some functions that remove some coins from the balance, my fear Is that someone could change the code and add coins instead.
assuming that your app implements firebase authentication to authenticate operations on firestore it's safe to say that your app is compiled with a key and it has an hash.. it's not possible to someone to decompile the app, change the code and recompile it with your key.. so the new "hacked" app will have a different key and hash and firebase authentication will not work and your db will be safe
I think you need to secure the data itself. In your scenario I don't think you can have code in the app that simply writes a value to the balance. You need to create a separate API or firebase function to secure what you are trying to do.
If you want to ensure that only your application code can call Firestore, consider enabling Firebase App Check.
Just keep in mind that:
Using App Check does not guarantee the elimination of all abuse
So you'll want to combine it with other security measures, for example through the server-side security rules that Firebase also offers for Firestore.
Also see:
Locking down Firebase DB access to specific apps
How to allow only my app to access firebase without a login?
I found a previous question very similar to mine, however the other developper needed to write to Firebase and I don’t, hence this near duplicate question:
I have a very simple database with about 150 documents and the users don’t need to authenticate to use my app. Authentication just don’t make sense for what the app does and users only read the database, they don’t write.
My current rules are read allow only which of course triggers the Firebase rule warning daily.
1) Is there a way to set rules similar to “only requests coming from my app can access it”. Given that the app is linked to firebase one would think it’s possible?
2) If I must use authentification, is there a way that I can do this behind the scenes so that the user is unaware of that? Maybe by using a UUID to identify a user and no password or something like that. I want to avoid showing a log in screen at all cost. Think of it as asking to log in to check gas prices...
** This is an iOS app
No, it's not possible.
You can use anonymous authentication to create a user account without requiring a sign-in.
I am currently using Cloud Firestore for my iOS app, which allows users to store their expenses to the database, but in order to secure privacy, is there any way I can make sure that I can't read the data that they are inputing into the database. While the queries and all still work, I or any admin isn't able to see what users have put into their database?
No such feature exists. Admin access through the console and the Admin SDK is able to read all collections and documents all the time.
As #Frank van Puffelen suggested:
Obfuscating the data through encryption, will prevent any unwanted eyes from viewing any information. This will add to your workload since you will need to perform the encryption and decryption at either end of the app (client and server).
I believe, you could take advantage of firebase's cloud code, to minimise the amount of code execution performed on the device, but I have never tried this, so am unable to confirm.
As far as an encryption key, you have a few options:
The user's password: This is one way of ensuring the encryption without revealing the key to any admin, since passwords in firebase are already obfuscated from any viewer. The only issue would be that a user would be locked into a password, as changing it would prevent decryption.
Store locally: You could store the key locally on the device, which would mean that the user could enter a key, or have one auto-generate, upon launching the app for the first time. You would then store this in the app's default key storage, and retrieve when required. Whilst, I believe this to be the safest, it means that your app could not be used across iCloud devices, since the key would be stored locally.
Finally, is CloudKit, which allows you to store data in the cloud. This is private, and only accessible to the user's cloud devices.
I realise that there is no code in this example, I am not currently at my desk, for which I am sorry for, if anyone else would like to edit with some code examples, I would be grateful.
I hope this helps.
I'm quite new to Cloud Storage solutions, and I'm currently researching options to upgrade our current solution (we currently just upload on a SVN server).
What I have is a native application running on client computers, which will upload data to the Cloud Storage. Afterwards, client should be able to download and browse their data (source is not set in stone, could be a website or from other applications). They should not be able to access other user's data.
I'm not sure how I'm supposed to proceed. As far as I understand, the native application will upload using a Native Application Credential, using JSON.
Do I need multiple credentials to track multiple users? That seems wrong to me. Besides when they come back as 'users' through the web interface, they wouldn't be using that authentification, would they?
Do I need to change the ACL of the uploaded files afterwards?
Should I just not give write/read access to any particular users and handle read requests through Signed URLs, dealing with permission details by myself using something else on the side? (not forcing a Google Account is probably a requirement)
Sorry if this is too many questions, and thanks!
Benjamin
The "individual credentials per instance of an app" question has come up before, and unfortunately there's not a great answer. If you want every user to have different permissions, you need every user to be associated with a different account.
Like you point out, the best current answer, other than requiring users to have Google accounts, is to have a centralized service that vends signed URLs to the end applications. That service would be the only owner of all of the objects and would give out permission to read or upload as needed.
I'd like to use Amazon SimpleDB to store data for my iPhone app. Different users will own items within the same domain. I'd like for users to be able to delete their own items but not each others', and for this restriction to be enforced server-side.
I am hoping to use anonymous TVM.
What is the best way to do this?
Using IAM User Management you can create a custom policy for each user or group to allow or deny access to delete items in SimpleDB. If each user has their own domain you can restrict access to the domain by using the arn format arn:aws:sdb:<region>:<account_ID>:domain/<domain_name>
I think that you can't use IAM - you seem to say that you have one domain where all user data is stored.
One way to achieve what you want is to use item name prefixes that are user based, e.g. user jimsmith would have all items stored under an item name that beings with 'jimsmith' or some random string, unique to jimsmith (which could be stored somewhere).
Then you are in charge of security, so you would not be able to have the phones directly query AWS - they would need to talk to your intermediary server which would handle security. You have to assume that people could run the app on a jailbroken phone, and decompile, etc.
You can use IAM to restrict a single user to a small portion of an S3 bucket though. You could then index the bucket using a server app of your design. Then the DB could be used for searching purposes with your own code, so that iPhones only deal with S3.
From what I have researched the simpleDB user right policies aren't designed to be used in such a way you are proposing (meaning undisclosed number of users of the app) and the way to handle this might be to use some server application in-the-middle as was suggested here: Mobile app and SimpleDB direct 'Access Policy'