That’s my scenario: 1) I am developing an iOS app that uses Firebase storage. 2) My app has custom light-weight authentication mechanism based on Facebook login. 3) All authenticated users can access ANY data in firebase storage. 4) All others cannot.
All I want is to ensure that only my app can access storage. If I would build my own server I would just evaluate each incoming request with some API Key, which is pre-set in app thus all requests coming from my app are resolved successfully. And if somebody other wants to use my API he should know API key.
I see, this is not a solution for WEB-APP, because everybody can see source code (and API key) but this is ok for mobile app, where there is no such possibility.
So my question is: should I bother about it or Firebase already does this work based on APIkey in config file. And in the case I should, what would you recommend?
Maybe I missed something in firebase’s docs but I found them unclear about this particular issue.
3
Answers
In normal circumstances, yes, all others cannot access the storage. But, nothing is ‘unhackable’.
People could reverse engineered your app and getting the credential, api key etc. So the best way is to apply another layer of protection such as this (for iOS) and this (For Android) (just for your reference). Still, it is hackable but it takes more effort, normally people would give up attacking it.
I assume you are using the standard way of firebase which required you to download the config file. Looking into the config file you placed in the project, it allows people to access the firebase features (firebase storage in this case) under your api-key usage. You could apply 2-way factor authentication (either from firebase auth or facebook auth) to authenticate genuine users.
Hope it gives you some ideas, cheers!
First, it is very possible for someone to decompile your mobile app and get the code for it, even if it’s not exactly what you wrote. There are no secrets in your APK or IPA.
Your only chance at protecting files in Cloud Storage is using Firebase Authentication along with security rules defined for your storage bucket. If you’re using some form of custom auth, you’ll have to use Firebase Auth on top of that and generate a JWT for each user.
Thanks to the new feature called Firebase App Check, it is now actually possible to limit calls to a Firebase project to only those coming from iOS, Android and Web apps that are registered within that project.
You’ll typically want to combine this with the user authentication based security rules, such as those shown in the Firebase documentation on common access control patterns.