Is using Firebase Authentication using Custom tokens safe?

0
votes

I am using the Firebase Admin SDK on java to mint custom tokens with custom claims set. I am sending these back to the ANDROID app which is the client interface and am logging in with:

signInWithCustomToken("foundtokenfromserver");

Now the Service account file used to sign the token is safe and hidden. But since Database URL, API Key and Storage Bucket URL are exposed on the Web part, I think anyone can make an app of their own from that. I do have security rules in place restricting a user to their own node.

My main concern is:

If someone intercepts the custom token minted and saves that. Can they not just use that token to log in using the above FirebaseApp (generated using the exposed info)?

Is there a way where firebase does prevent such misuse (maybe the auth domain can stop the web but what about localhost)?

1
androidfirebasefirebase-authentication
I've never created a custom token, so I can't tell you much about that. But you don't need to worry about the database url, api key and storage url being exposed. Unless your database and storage have the security rules set to public. Then anyone can access it from the url( check). The api key is also not a problem, because it is nothing more than a different way to name your project (refer to this post)Rosário Pereira Fernandes
yea i get that, but with those exposed, anyone can initialize an FirebaseApp instance on web and android (idk about ios). And if they do get their hands on the auth token, i am worried that they might just be able to authenticate or let's say masquerade and get in. Also android sdk transparently refreshes the tokens so... yea lifetime access :-\Kushan
I don't think anyone can initialize a FirebaseApp instance with these data. Because on Android, you'd need the google_services.json file to initialize your app. And on the web, you'd need to login on the Firebase CLI before you can serve/deploy a web app using Firebase hosting.Rosário Pereira Fernandes
google_services.json is exposed if anyone unpacks the apk. Also they can have the same package id, and in my case the firebase app isn't protected by sha1 due to multiple firebase projects in one app. Web is secure thanks to the login as u said :DKushan
I worry too much :'( stupid overthinking brain... I am sure there must be something on android too which can save meKushan

1 Answers

1
votes

In general, you will only mint the custom token after you send some auth assertion to your server. For example, you may be using your own custom auth system using email/password. Another example is that you could be using an unsupported OAuth provider and assume that provider already verified the user and only returned the assertion (OAuth credential/Authorization code, etc) after verifying the application. In addition, you would be using a secure TLS connection to prevent eavesdropping.