Prevent users from manipulating firestore data

0
votes

I have an android app which uses firebase for authentication and firestore for storing user data. Once the authentication is complete for a first time user, we collect extra info like nick name, age etc and store them in Firestore. We also have an important field called USER_BALANCE. This is set to 0 on new account creation. How can i make sure they dont manipulate this field. 

int USER_BALANCE = 0;
User user = new User(name, email, USER_BALANCE,0,0, refreshedToken);  db.collection(FIREBASE_COLLECTION_USERS).document(firebaseUser.getUid()).set(user).addOnSuccessListener(this);

We also have certain task in app,on completion where user gets rewarded and points will be added to USER_BALANCE in firestore. I want to make sure nobody decompile the app and can update the field with whatever value they want.

2
androidfirebasegoogle-cloud-firestore

2 Answers

0
votes

You can use firebase rules for that. Firebase rules check if a user is able to manipulate your data. You can choose for the user to be able to only read the specific value. Because you haven't provided a view of your database structure I haven't tell you how the specific rule that you need will be framed. Check this blog it really helped me a lot when I was starting.

---Edit---

The below firebase rule checks if the user tries to update the specific field and blocks it. You can check this post for more information.

function notUpdating(field) {
   return !(field in request.resource.data)
    || resource.data[field] == request.resource.data[field]
}
match /Users/{userId}{
    allow read;
    allow update: notUpdating('user_balance');
}
0
votes

Anybody can decompile the app and attempt to make changes. There is no way to prevent that. They don't even need your app to write the database, since it has a public REST API.

What you will need to do instead is use Firebase Authentication along with security rules to determine who can read and write which documents. There is no other way to control access to your database if you intend for your app to be able to read and write it directly. If you can certainly disable public access entirely and create your own backend - but you have just shifted the responsibility onto the backend for making sure the API it exposes also does not allow arbitrary callers to make unauthorized changes.