What rules do I set in my firebase real-time database such that only specific users registered in my project can access it?

Question

I am new to Firebase. Recently I registered my web-app and my android app in my firebase project. I have a Realtime Database in my project where the following rules are set:

{
  "rules": {
    ".read": "auth !== null",
    ".write": "auth !== null"
  }
}

I just got an email today from firebase saying that my database is insecure as any authenticated user can modify it. So my question is what rules do I set in my database such that only some users registered in my firebase project (i.e., my web app and my android app) can access it?

Answer 1

The simplest way to allow only users of your app to access the data, is to implement Firebase App Check in the application and then enforce that for the Realtime Database.

This topic has been covered quite a few times before, so I recommend also checking out:

• Locking down Firebase DB access to specific apps
• Firebase rules that supports only requests from my apps