Ok I have a Realtime database connected to a app and till today the rules ( read and write ) were set to true , everything was working fine ....but every time a message pops up saying
Your security rules are defined as public, so anyone can steal, modify, or delete data in your database
I tried few things but data was not accessed...data was only accessible when the rules were set to true
but is there any way to modify the rules to make it more secure
I want this Data to be accessed by only few known apps ( My Apps )
Start here in the docs and work your way through. It's very practical and easy to understand.
data was only accessible when the rules were set to true
Firebase RTDB has a public URL, so anyone can try connecting to it. It is your job to decide whether they can do this or not. If your rules for any path/node look like this, it is available to anyone who makes a request:
{
".read": true,
".write": true
}
If you only want to allow users of your app to connect to RTDB, you can use Firebase Auth and use conditions like this:
{
".read": "auth != null"
".write": "auth != null"
}
I want this Data to be accessed by only few known apps ( My Apps )
Access is determined on a user level, not by app. Start here in the docs.
but is there any way to modify the rules to make it more secure
Either in the Firebase Console, or deploy them via the CLI. If you're new to this, start with the Firebase Console and use the Rules Playground to test different rules. See docs for more information.
So unless someone has access to my Google account or a app /web integrated with my database... No one can access the data even if the rules are set to true, am I right ?
Your database is not "integrated". It is a deployed instance that is reachable via a public URL - that's how your clients connect to RTDB. If your rules allow any read or write operation, then your database is wide and open for everyone. Hence, the email that you have received informing you that this is not secure.
{
"rules": {
".read": "auth.uid !== null",
".write": "auth.uid !== null"
}
}
Currently accepted Rule docs
Related
I have these rules in my Firebase Real-time Database:
{
"rules": {
".read":"auth !== null && auth.uid === 'my_uid'",
".write": false
}
}
When I try to read the data without authentication, access is denied. So far, only my app can read it successfully.
Still, I'm getting an email from time to time, from Firebase, that my rules are not secure and that everyone can read the data.
What am I missing here?
I can't get permission to database.
In xcode console I am getting this message:
[Firebase/Database][I-RDB038012] Listener at /skelbimai failed: permission_denied
So I went to firebase database, then Rules and changed like this:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write;
}
}
}
And still I cant read write from database. Where I missed something?
The rules you changed are the rules for Cloud Firestore, while the error message is coming from the Firebase Realtime Database.
You'll need to switch your console from the Realtime Database to Firestore. To do so:
Go to the Firebase database console
Select Realtime Database
From here on the console will stick to showing the realtime database, unless you switch again.
If you already have the console open on one database, you can switch to the other by clicking on the dropdown next to Database and selecting the database you want to manage:
To grant full access to anyone, use these rules:
{
"rules": {
".read": "true",
".write": "true"
}
}
Please only use this for early development stages, as having your entire database publicly read-and-writeable makes it very easy to abuse.
Try Following
Goto Database -> Rules then
copy and paste it
{
"rules": {
".read": "true",
".write": "true"
}
}
Ok. I am unsure about a few things with Firebase and its security and I was hoping that you guys would help me clear a few things up and also this might be a great topic to get some noob questions cleared up.
1. Does FIRAuth.auth() manage tokens and connections?
I have very simple code in my project:
if let user = FIRAuth.auth()?.currentUser {
// Do Stuff
}
Is this all I need to do? How does this connect to Firebase? By this I mean is this data sent via GET/POST or is it encrypted? Should I be generating tokens and authentication and then checking that?
2. Is this sufficient rules to stop access to the DB?
I have defined some rules in my database:
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"score": {
"$user_id": {
".write": "$user_id === auth.uid"
}
}
}
}
What I want to achieve here is the ability to save a score value in the DB. However, the database should only be accessible to the user logged in and also the entry with the user_id also. They should not be able to access another players score.
3. Can I test these rules?
Is there a way to have dummy users and privileges in the console so I can test these? If so, how?
4. Is it possible to have SQL injections if there is no SQL database?
Are there other methods I should be trying to stop, for example stopping MITM attack, etc.?
Appreciate all answers.
I am trying to pull in data on a certain View Controller from my Firebase database using the following:
_refHandle = [_postRef observeEventType:FIRDataEventTypeValue withBlock:^(FIRDataSnapshot * _Nonnull snapshot) {
NSDictionary *postDict = snapshot.value;
// ...
}];
The code works great in the simulator but not working on the iPhone(code gets skipped over). I use this piece of code in other parts of my application and it works on both the device and simulator. I have also implemented this piece of code into a custom method for pulling in data (Still does not work). Does anyone know why this is not working on a real device?
I found that if you logged in, and delete the application, then after you install the application again, you will still be logged in. I do not know exactly, but I assumed that Firebase somehow binds the account cache to the Keychain with Bundle Identifier, not in the app local storage.
My solution is not good enough but it worked for me:
Remove your APP from real device.
Go to your project in Navigation Panel.
In General tab change your Bundle identifier, for example: "myApp.com" to "myApplication.com" or whatever you want.
Build and run
Bingo!
Update: Firebase remembers your data in keychain using your Bundle identifier as key, that's why it works when you change Bundle Identifier
It happens because of your security rules. In your Firebase Console:
Go to the Database menu item
Go to the Rules tab
Update the security rule to:
{
"rules": {
".read": true, // Or whatever rule you would like
".write": "auth != null"
}
}
Go to the Database menu item
Go to the Rules tab
Update the security rule to (for real device):
{
"rules":
{
".read": "auth != null",
".write": "auth != null"
}
}
Update the security rule to (for real simulator Test):
{
"rules":
{
".read": "auth == null",
".write": "auth == null"
}
}
I'm using the Firebase iOS SDK and part of my app experience is group chat. I have a class for each group chat and store a reference to the firebase object as follows:
self.firebaseMessages = [[Firebase alloc] initWithUrl:[NSString stringWithFormat:#"%#/Message/%#", FIREBASE_URL, chat.objectId]];
I then observe each event I'm interested in. This works very well. I use custom auth with JWTs and my issue is when the token expires or the user logs out / in and I re-authenticate. At that point, the callbacks stop firing for the events I'm observing unless I completely restart my app. I know the re-auth was successful because I get a success callback and authdata in the AuthEventWithBlock. When I set values, the database updates and other clients receive those updates. It's just the client that re-auth'd that no longer receives updates.
I've dumbed down my security rules to eliminate that as a possibility:
"Message": {
"$message": {
".read": "auth != null",
".write": "auth != null"
}
}
I re-auth on the root URL:
Firebase *ref = [[Firebase alloc] initWithUrl:FIREBASE_URL];
[ref authWithCustomToken:responseObject[#"auth_token"] withCompletionBlock:^(NSError *error, FAuthData *authData) {
I've tried re-auth on each message URL as well. Also tried re-instantiating all of my Firebase objects.
Also note that I am using [ref unauth] on the root to log the user out and to simulate a token expiration.
What am I missing?
Kato's comment is the solution. Make sure to re-establish event listeners if you lose authentication and re-auth.
Also worth nothing that all of the data will also flow back in when the listeners are re-established. If you're on a screen that streams data from those listeners - like a group chat, you will likely receive data that is already being displayed. Easy enough to handle, though.