25

I am storing my app's data on Firebase and this being my first project on Firebase is proving to be much more difficult than I thought. I have gone through the official documentation and it says that we can login a user with their email and password or use other login options like Google or Facebook etc. However I don't want user's to login to my application but only read and write data to firebase if they are using my app. Right now I am using public rules for my firebase but then anyone with a reference to my firebase URL can read and write to the database. How do I overcome this?

Thanks in advance.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Sourav Kanta
  • 2,727
  • 1
  • 18
  • 29
  • 2
    What about using anonymous authentication? https://firebase.google.com/docs/auth/android/anonymous-auth – finki Jul 15 '16 at 11:39
  • 2
    You have already introduced a major threat by making rules Public. Best way to overcome this is to implement Authentication. Period. – Chintan Soni Jul 15 '16 at 11:42
  • @finki what is difference between anonymous authentication and public. – Avinesh Feb 02 '17 at 17:56

5 Answers5

13

Enable Anonymous sing-in provider under Sing-in Method under Authentication tab in your Firebase Console and use firebase anonymous authentication

Morad
  • 2,761
  • 21
  • 29
2

Nowadays you can accomplish this by enabling Firebase App Check, which only allows requests coming from your real app on a genuine device to make requests these protected services on your Firebase project:

  • Realtime Database
  • Cloud Firestore
  • Cloud Storage
  • Cloud Functions (callable functions)

You can also implement App Check in your own backend code to provide it with the same protection.

As the documentation says:

Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your backend resources.

For the above services, that'd typically mean that you'll also want to implement Firebase Authentication and then implement fine-grained access control in server-side security rules.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
1

Firebase Real-Time DB does not allow access to Un-Authorized Users.

Making the Firebase Database Rules true for Read & Write is not the way as (Chintan Soni) said.

So a Authentication mechanism is the best way!

Veeresh Charantimath
  • 4,641
  • 5
  • 27
  • 36
-6

If you only want to use firebase database you should:

  1. Download SDK from gradle https://firebase.google.com/docs/android/setup
  2. In firebase console create project and add your app, download json i put it on your Android Studio Project
  3. Add database dependiences 'com.google.firebase:firebase-database:9.2.1'
  4. Configure rules in console. You could also disable rules (recomended only for first tests: "rules": { ".read": true, ".write": true }

I also recomended update Android Studio to version 2.1 or 2.2 with Firebase integration included.

Mateusz
  • 22
  • 3
-9

Set Database rules up as follows:

    {
  "rules": {
    ".read": true,
    ".write": true
  }
}
Face Value
  • 49
  • 1
  • 9