Firebase security - is it necessary?

I’m making a chat app that will allow 2 people to chat in private. There can be many users at the same time, but people will be paired together into separate chatrooms.

Currently my Firebase rules are set to read true and write true. In other words they are set to Test Mode.

Firebase will only save the messages. Users won’t use their real names, locations, photos etc. It’s all purely anonymous.

Do I still need security eg authentication?

Nobody says “No” to more security :star_struck: I don’t know if it is necessary, but if you can and if you know how to protect your database, then do it. So fewer data will be affected after someone attacks to your data. It would be nice for you and users with more security.

1 Like

This is the thing. What would someone attack?

Perhaps someone could disrupt a private chat but even then I’m not sure how.

Also I’m not really sure how to protect the database - I know I can change the rules. But I don’t understand what to do in Kodular blocks. I’m still trying to figure it out but the documentation is sadly lacking.

Currently firebase component is unsafe because we cant acces it with auth.
You can encode/decode message with crypt component for more security

that is not true your can work with a seconf firebase extension to make you database safe.
You have to use booth auth extension to make your database safe. There is also a video in youtube out there.
I have no linkin the moment I need it also so i have to search for the post with the video link or the thread with the description where you see the bloicks and how to use it.

1 Like

@plang58 is correct. Both of us use it.

I wrote about how to set it up here.

So with the auth extension we have user token and with this token we can use firebase more secure. Thanks guys i miss it. I hope Kodular add support to own component.

What is token lifetime? When its expired? If i make a Single account for all users can i use same token without problem?

NEVER, BUT NEVER forget proper security rules! I recently was able to hack a friends app just because the poor encryption & firebase rules. So, wrapping up, yes.

What does it mean if someone hacks my app? How can they hack it and what can they do?

Destroy all firebase data, copy it, delete it, change it, make it useless.

1 Like

The only data that is saved is the private chat between the users. It doesn’t save a history, just the current message.

So if User 1 sends a message “Hi” it will be saved to User1 tag in Firebase.

Because the data has changed the When Firebase Data Changed block is triggered and User 2 will get the message “Hi”.

Can a hacker hack into Firebase and change the messages or “steal” them?

1 Like

Yes, and they can use your database to store what they want.

1 Like

Thank you very much guys for all your input. I’ve now managed to add security and it seems to be working.

I now have one thing that I can’t figure out - say a user forgets their password, how can they reset it?

This is also related to a user clearing their cache or deleting their app and reinstalling it - firebase will show the email exists if they try and sign up again using the same email.

Can you share what you did?