如何防止黑客在Firebase数据库上进行读取/写入 [英] How to prevent a hacker from reading/writing on firebase database
问题描述
我对保护移动应用程序的Firebase数据库有一些疑问.
I have some questions about securing firebase database for mobile applications.
例如,在反编译Android应用程序之后,黑客可以获取firebase api密钥,然后访问firebase数据库,这是正确的吗?
For example, after decompiling Android application a hacker can get firebase api key and then get access to firebase database, is this correct?
让我们假设,我添加了一些安全规则,例如仅当auth!= null时,应用才能在firebase上读取/写入,这意味着身份验证正在保护我的firebase数据库,但这使我提出了同样的问题,如果我配置了facebook/google/甚至Firebase电子邮件身份验证,我将需要一些api密钥供我的应用程序中的那些提供程序使用,如果黑客能够访问这些密钥,他将能够在自己的应用程序中使用我的身份验证并获得访问我的Firebase数据?
Let's assume, I added some security rules like for example an app can read/write on firebase only if auth!=null, this means that the authentication is protecting my firebase database, but this put me to ask the same question, if I configure facebook/google/ or even firebase email authentication I'm gonna need some api keys for those providers in my application, If a hacker got access to those keys, will he be able to use my authentication in his own application and get access to my firebase data?
我想了解在Android应用程序中该怎么做,以确保只有我的应用程序才能访问firebase数据库.
I want to understand what to do in Android applications to make sure only my application will get access to firebase datatabase.
谢谢.
推荐答案
反编译Android应用程序后,黑客可以获得Firebase API 密钥,然后访问Firebase数据库,对吗?
after decompiling Android application a hacker can get firebase api key and then get access to firebase database, is this correct?
仅当您的数据库不使用任何将访问权限限制为仅通过身份验证的用户的安全规则时.
Only if your database does not use any security rules that limit access to only authenticated users.
如果我配置了facebook/google/或什至Firebase电子邮件身份验证 我将在我的应用程序中为那些提供程序需要一些api密钥,如果 黑客可以访问这些密钥,他将能够使用我的 在自己的应用程序中进行身份验证并访问我的Firebase 数据?
if I configure facebook/google/ or even firebase email authentication I'm gonna need some api keys for those providers in my application, If a hacker got access to those keys, will he be able to use my authentication in his own application and get access to my firebase data?
不,那样行不通.
每个通过Firebase认证的用户都会获得一个令牌,该令牌用于在用户访问实时数据库,Firestore或存储之类的受保护服务时识别该用户.该令牌有效期为1小时,之后必须刷新,SDK会自动对其进行刷新.
Each user authenticated with Firebase is issued a token that's used to identify the user when they access protected services, such as Realtime Database, Firestore, or Storage. This token is valid 1 hour and must be refreshed after that, which the SDK will do automatically.
对于黑客来说,要获得对该用户数据的控制权,他们将必须获得此令牌,并且使用该令牌的时间不得超过一个小时.之后,他们将必须获取SDK所获得的下一个令牌.所有这些都必须在用户的设备上进行.
For a hacker to gain control of that user's data, they would have to obtain this token, and they would have no more than an hour to work with it. After that, they would have to obtain the next token obtained by the SDK. All this would have to happen on the user's device.
这篇关于如何防止黑客在Firebase数据库上进行读取/写入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
