Why is it not secure to connect a mobile app to a MongoDB database directly? I’ve been looking into creating an application with dotnet MAUI and using MongoDB as the database. I’ve seen in several threads online that it’s a very bad idea to connect the app directly to the database for security reasons. They almost all recommend creating a server with a rest api to interface with. This sort of makes sense to me, but then what are the MongoDB drivers for? Isn’t the entire point of them to connect the application directly to the database?
Are they only meant to be used for internal applications where this type of security isn’t an issue? Am I missing something here or is the only way to create an adequately secure architecture for this sort of application to create a rest api to interface with which serves as a middleman to connect to the database?
I was working on a test MAUI app and everything worked fine building to windows. Once I deployed to my android (Pixel 5) emulator, the MongoClient constructor threw an error which got me researching until I found the aforementioned information about security issues.
(Edit)
It just occurred to me that dotnet can absolutely be used to create a rest-api using asp.net, in which case it would be secure to use the drivers. I’m going to leave the question up in case there is another response.
2
Answers
In addition to the user provisioning problem that Wernfried mentions, you have the concern that other people can and will scrape your credentials out of your app and be able to browse that MongoDB directly using something like Studio3T. They will then attempt to do some of the worst things imaginable to your database, using it to store and share content for other apps, use it to mine BitCoin, and generally run amok.
Finally, you will have seriously scalability problems. MongoDB is not an "internet-scale" database, it is designed to handle hundreds of connections, you can push it to a few thousand, but then it will fall down. If each of your clients connects directly to the database, you will exhaust this fairly quickly and your app will stop working.
In general you likely wouldn’t want to connect your mobile application directly to your database.
MongoDB connections can be secured using various authentication mechanisms. If using MongoDB Atlas, all connections (by default) will also be further secured via TLS/SSL
When building your REST API you’d use the MongoDB Drivers to establish and authenticate a connection to your cluster, interact with your data via the CRUD APIs and other convenience methods. The reason this guidance may be provided (build a REST API first) is to move the state management of those interactions to an intermediary layer (the server where you’re hosting your REST API)
If you’re managing your own cluster see "Tuning MongoDB & Linux to allow for tens of thousands connections" for details on server side connection tuning. MongoDB Atlas (the managed service) documents the Connection Limits per Cluster Tier so that you can plan to scale up as your connection needs change.