Firebase DB doubts

mikkupoocha · March 31, 2019, 7:27pm

can a user find details like firebase db url, API Key etc. if they have access to the apk ?
(this one may sound stupid, but stil…) can we set the write rules of a project using blocks ?

cian · March 31, 2019, 8:59pm

1 a. There are a few things you can do, such as use the obfuscation function in text. You can also do some fancy API key reassembling.

1 b. You can use my extrention HackProof to see if the device is rooted, on an emulator or using ADB debugging to reduce the chance that you can find the API’s

No, unless you use Firebase Authentication, then you can set different users to different write areas you have setup ahead of time. You can also “channel” all the writes to dynamic subdirectories. It is not foolproof, but does obfuscate.

mikkupoocha · March 31, 2019, 9:53pm

But even ‘root’ can be hidden using Magisk (If your extension helps to block rooted users).

Kodular doesn’t encrypt data like API key, DB URLs etc. by default ?
Can people be able to read the data if they decompile the apk ?

I doubt if rooted users can find the database to which a request is send from the apk

yusufcihan · March 31, 2019, 10:03pm

There is a text block with you can protect your keys a bit more called obfuscate text in Text category.

Also,

I don’t think this is easy as you thought. So don’t worry much.

cian · March 31, 2019, 10:05pm

Thank @yusufcihan . I did not say where it was located properly.

yusufcihan · March 31, 2019, 10:13pm

Ops, sorry. I didn’t saw that.

Mr_Nicolas · April 1, 2019, 5:50am

How to apply obfuscation to value of variable? For example if i generate an ID with randomization and want keep in phone’s memory (for example tiny db). Can i keep it secured?

Kanishka_Developer · April 1, 2019, 6:50am

Store an obfuscated text block as the TinyDB value. Or you could even encrypt the data with the Cryptography components.

Mr_Nicolas · April 1, 2019, 7:29am

may question is how to put my random generated number into obfuscated text block?
I tried but could not use cryptocraphy component. only used succesfully bas64 encoding but there are a lot of online base64 decoders that is why dont want to use base 64. i want use aes256 but could not do.

Kanishka_Developer · April 1, 2019, 9:08am

No way to do this at runtime.

Did you use a proper key?

Mr_Nicolas · April 1, 2019, 11:24am

what is proper key? can yo help me please? i saw that i must input some key but ded not know what is this and where can i find that key

Kanishka_Developer · April 1, 2019, 11:27am

Generate one. There are tutorials and resources online on this topic.

plang58 · April 1, 2019, 11:52am

can you explaine more pls

Kanishka_Developer · April 1, 2019, 3:08pm

Use this block:

plang58 · April 1, 2019, 6:54pm

that block i know, the translater translated wrong sorry,

Deepanshu_Arya · April 2, 2019, 2:07am

I think it is good to use but if someone want to see those details then they can do it by hook or crock because APK can be decompiled and it’s all files/menifest etc can be seen

cian · April 2, 2019, 5:17pm

Well the Obfuscation modifies the data through an algorithm so it is not in plain text when compiled, therefore you cannot find it easy when it is uncompiled.

Boban · April 17, 2021, 11:27am