Whats wrong with implementing Firebase security rules in the app itself?

1
votes

I am new to Firebase database and I am having trouble understanding the security rules.

Example Rule 1:

{
  "rules": {
    ".read": true,
    ".write": true
  }
}

The above rule allows everyone to read and write the database.

Example Rule 2:

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

The above rule allows only the authenticated user to read and write only their own data.

My question is, if I set the security rule of my database to Example Rule 1 and develop my app in such a way that only the authenticated users can read and write the data, whats wrong with it?

Whats wrong with implementing the security rules in the app itself?

3
javaandroidfirebasefirebase-realtime-databasefirebase-security

3 Answers

3
votes

If I set the security rule of my database to Example Rule 1 and develop my app in such a way that only the authenticated users can read and write the data, whats wrong with it?

The security rules in your first solution, validate the read and write operations on your entire database. So if you attach a listener on your Firebase database root node, it will check if you have read permission on the root node. Since you have set the read/write permission to true:

{
   "rules": {
     ".read": true,
     ".write": true
   }
}

All read and write operations is will be approved, regardless of how your code looks like in your app. Please note that your database can be accessed by any other user, even if they don't use your app.

Whats wrong with implementing the security rules in the app itself?

You cannot add security rules in your app. You can add some constraints but you can not make the server reject operation according to some rules.

1
votes

You must go through this https://firebase.google.com/docs/database/security/securing-data . These rules are used to defined the security of your data . What type of data can read and by whom . Rules generally follow the data structure you have used in your data base . 

{
 "users": {
"users0": {
  "name": "ABC",
   "marks":"75",
  "email": "[email protected]"
},
"users1": {
  "name": "XYZ",
  "marks":"30",
  "email": "[email protected]"
},

}
}

In order to read the data of users whose marks is above 70 ,then we can write our rule as 

{
"rules": {
"users": {
  "$user": {
    // only users whose marks greater than 70  can be read
    ".read": "data.child('marks').val() > (70)",

  }
  }
 }
 }

In this case , only the user data whose marks are above 70 will be read by user .

1
votes

When you access Firebase Database from your app, your application contains the configuration information that is needed to access your database. For the Realtime Database that is a URL of the pattern https://yourprojectname.firebaseio.com, which is in your google-services.json. The app must contain that information, to allow your app to work. Without it the app wouldn't know what database to access.

But that also means that a malicious user can extract that information from your app, and use it to access the database without using your app. Once they know the URL of your unprotected database, they can use that in their own code. And if their code doesn't follow the same rules as your code, your data will get corrupted (or compromised), since there are no server-side security rules to enforce those rules.

A very simple example is that they can use the Firebase REST API to delete all of your data.

curl -X DELETE 'https://yourprojectname.firebaseio.com/.json'

If you implement the logic in Firebase's server-side security rules, there is no way for a malicious user to bypass it. Even if they take your database URL, their code/REST calls will also be verified against the security rules, and rejected if they don't match.