限制Firebase数据库对一个Android应用程序的访问 [英] Restrict Firebase database access to one Android app
问题描述
我正在开发一个Android应用,该应用从 Firebase数据库读取.应用程序用户将不会登录或修改数据库.所有应用程序用户都将查看相同的数据;我正在使用Firebase的实时更新功能.
I'm working on an Android app that reads from a Firebase database. App users won't be logging in or modifying the database. All app users will be looking at the same data; I'm using Firebase for its real-time update features.
理想情况下,我想限制对数据库的访问,以便只有我的应用程序才能读取数据.
Ideally, I would like to restrict access to the database so that only my app can read the data.
我知道我可以做的几件事:
I am aware of a few things I could do:
1.编写允许任何人阅读的安全规则,即
{
"rules": {
".read": true,
".write": false
}
}
缺点:任何人都可以阅读:(
Con: Anyone can read :(
2.编写允许经过身份验证的用户阅读的安全规则,然后对用户名进行硬编码和密码进入应用程序
2. Write security rules that allow authenticated users to read, then hard code the username and password into the app
{
"rules": {
"$user_id":{
".read": "auth.uid === $user_id",
".write": false
}
}
}
缺点:在应用中对用户名和密码进行硬编码似乎非常错误.另外,它实际上并没有锁定数据库,因为任何人都可以反编译应用程序,获取google-services.json
和硬编码的用户名/密码,并编写自己的共享我的程序包名称的应用程序.
Con: Hard coding a username and password in an app seems very wrong. Plus, it doesn't actually lock down the database, since anyone could decompile the app, grab the google-services.json
and the hard-coded user name/password, and write their own app that shared my package name.
Google搜索显示了此,即和写作有关,此,表示否"但已经几岁了.
Googling has revealed this, which is specific to writing, and this, which says "no" but is a few years old.
限制访问数据库的正确方法是什么?我是从错误的方向来处理这个问题吗?
What is the correct approach restricting access to the database? Am I approaching this from the wrong direction?
推荐答案
3.使用FirebaseAuth
和signInAnonymously()
方法
3. Use FirebaseAuth
and signInAnonymously()
method
参考: https://firebase.google.com/docs/auth/android/anonymous-auth
然后调整安全规则:
{
"rules": {
".read": "auth != null",
...
}
}
缺点:多个帐户仅用于读取相同的数据
Con: multiple accounts used only for reading the same data
这篇关于限制Firebase数据库对一个Android应用程序的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!