Firebase Android安全性 [英] Firebase android security
问题描述
我正在构建一个聊天android应用,该应用允许用户聊天,用户可以在其中创建帐户并使用所有功能.它即将完成,但是有一个问题,实际上是一个问题.
i am building a chat android app that allows users to chat where users can create account and use all the features. It's about to be completed but there's a problem, actually a question.
Android上的Firebase安全吗?
在我的Firebase数据库中,我创建了如下规则:
In my firebase database, i have created a rule as follow:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
现在,此规则将拒绝所有未经身份验证的用户访问数据,推送数据或删除其中的任何数据.但是,当用户在我的聊天应用程序上创建帐户时,他/她将通过身份验证,并且我的应用程序将允许进行修改.如果他们对应用程序进行反向工程并更改了一些代码并推送了无效数据或从数据库中删除了一些值,该怎么办,他们已经通过了身份验证?我该如何预防?
Now, this rule will reject any non authenticated users from accessing the data and pushing data or deleting any of it. But, when user creates an account on my chat app, he/she will be authenticated and my app will allow to make modifications. What if they reversed engineered the app and changed some of the codes and pushed invalid datas or removed some of the values from database coz they are already authenticated ?? How can i prevent that ?
当用户在我的应用程序中创建帐户时,我会使用:
When user creates account in my app i use:
auth.createUserWithEmailAndPassword(email, password)
.addOnCompleteListener(RegisterActivity.this, new OnCompleteListener<AuthResult>() {
这将为该应用创建一个新的聊天用户.因此,用户正在创建他/她自己的帐户,他们知道凭据和所有内容.我很困惑,如何防止他们编辑我的代码?
This will create a new chat user for the app. So, user is creating his/her own account and they know the credentials and everything. I am so confused, how can i prevent them from editing my codes ?
推荐答案
您不能阻止恶意客户端针对Firebase项目执行他们想要的任何代码.有人会始终在无法完全控制的设备上找到一种在运行时破坏您的应用程序的方法.
You can't prevent malicious clients from executing whatever code they want against your Firebase project. Someone will always find a way to compromise your app at runtime on a device that you can't fully control.
保护数据的方法是通过复杂的安全规则:
The way to protect your data is through sophisticated security rules that:
- 要求用户经过身份验证(如您所愿)
- 确定哪些用户可以读写数据库中的哪些位置
- 拒绝写入无效数据
这需要大量的思考和努力.您可以从文档开始以了解更多信息.
This requires a fair amount of thought and effort. You can start with the documentation to learn more.
也请 查看全文
