I'm working on an Android app that reads from a Firebase database. App users won't be logging in or modifying the database. All app users will be looking at the same data; I'm using Firebase for its real-time update features.
Ideally, I would like to restrict access to the database so that only my app can read the data.
I am aware of a few things I could do:
1. Write security rules that allows anyone to read, that is
{
"rules": {
".read": true,
".write": false
}
}
Con: Anyone can read :(
2. Write security rules that allow authenticated users to read, then hard code the username and password into the app
{
"rules": {
"$user_id":{
".read": "auth.uid === $user_id",
".write": false
}
}
}
Con: Hard coding a username and password in an app seems very wrong. Plus, it doesn't actually lock down the database, since anyone could decompile the app, grab the google-services.json and the hard-coded user name/password, and write their own app that shared my package name.
Googling has revealed this, which is specific to writing, and this, which says "no" but is a few years old.
What is the correct approach restricting access to the database? Am I approaching this from the wrong direction?
