I know anyone can see database url from google-services.json in android application just by extract apk.
I think, If we hide childName reference of db then hacker can not access database. Or any other way to access data from only db url?
In this case, My security rules are public.
Here is view of my database(this is dummy project).
after db url, hacker must need child names, we can hide this(I know can not hide 100% secure but we can make hard to find for hacker".
He need need again child name to access.
2
Answers
Security rules are the only way to truly secure access to only those Firebase Auth accounts that should be able to access it. Anything else (including your suggestion of "hiding childName reference") is just making it harder to access, but that’s not really security at all.
Again, security rules are the only way to go if you want real security and not just obfuscation. Either that, or lock down your database rules and provide some other truly secure means to allow access to it.
See also:
With your current rules, a malicious user needs to only know the URL of your database to access all data in it. Seriously, try this: https://icaptcha-bfc94-default-rtdb.firebaseio.com/.json.
If you want to make it slightly harder for them to read the data, at the very least change your rules to only allow access to the specific named node:
Now they will have to know the name
PayoutDaysbefore they can access the data.One additional step would be to include a less guessable value in the path, for example:
The key name is now a lot less guessable, so it’s less likely that a malicious user can guess it.
But here still the problem is that anyone who uses your app can see the keys it loads, and thus use that to reproduce the access. To make that harder, consider implementing App Check and (as Doug said in his answer) authentication (even if only anonymous auth) and security rules.