当应用凭据存储在APK中时,Firebase如何防止攻击者访问Firebase数据库? [英] How does Firebase prevent attackers from accessing a Firebase Database when app credentials are stored inside the APK?
问题描述
不可能阻止应用程序被反向工程,并且Firebase应用程序令牌存储在APK源文件中,攻击者如何获取这些证书并销毁Firebase数据库?
我担心的是本地应用程序之间没有可用的控制器和Firebase数据库(),除非将请求从例如Android应用程序发送到他们自己的服务器,然后发送到Firebase,这会减慢请求速度,我认为)。所以任何能够获得令牌的人都应该能够在数据库中做任何他们想做的事情。
我来自PHP和MySQL,我将控制所有的来自客户端的PHP请求,然后从存储在服务器上的数据库用户信息从PHP访问数据库,而不是客户端。
Web服务和数据库都托管在服务器上,只有Web服务需要直接访问数据库,不需要在应用程序中存储数据库访问信息。所以攻击者在应用程序上没有数据库访问信息。
我可能在这里丢失了一些重要的东西。更愿意了解更多。
你不应该在应用中分发这个秘密。这不应该在那里需要。然而,你应该设置Firebase安全规则,以便任何客户端只允许做安全的东西。
Because according to several sources;
How to avoid reverse engineering of an APK file?
it's impossible to prevent an app from being reverse engineered, and Firebase app tokens are stored in the APK source, how won't attackers get these credentials and destroy a Firebase database?
My concern is that there's no controller available to the developer between the native App and Firebase database (Unless one routes requests from e.g Android App to their own server then to Firebase, which would slow down requests, I think). So anyone who can gain access to tokens should essentially be able to do whatever they want with the database.
I'm coming from PHP and MySQL where I'd control all coming requests from clients with PHP, then access the database from PHP with database user information that is stored on the server, not clients.
WHAT I KNEW : Since the web service and the db are both hosted on the server and only the web service needs direct access to the db, there is no need to store db access info in the app. So attackers don't have DB access information available on the App.
I'm probably missing something important here. Would love to understand more.
You should not distribute the secret at all in the apps. It should not be needed there.
However, you should setup the Firebase Security rules so that any client is only allowed to do the "safe" stuff.
这篇关于当应用凭据存储在APK中时,Firebase如何防止攻击者访问Firebase数据库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
