问题
I have an app published on the play store, I want to implement firebase in the app.
I have read all the documentation and I have two doubts:
If someone use apk decompiler with my app and get the googleservices.json, they can do whatever they want with the database?
It is possible that my database is secure without having the user logged-in?
I would appreciate any help
回答1:
The fact that someone can read your googleservices.json doesn't involve security holes. If you configured your Firebase project correctly, you will notice that in the "Project Settings" panel there is a SHA-1 signature to add. If you add the signature of your debug/production keystore, only apps with the specific signature con use the data of googleservices.json to communicate with your Firebase platform. (If you decide to not provide a SHA-1, Google will use something else as identification mechanism as described here)
This question is not very clear. Your database is safe everytime. If your user is not logged in, probably he will not able to communicate with the database. Remember that a user should only be able to see it's own data, so if your app logic is correct a logged user shouldn't be able to see other peoples sensitive data. Moreover remember to not change the database/storage connection rules in the "Rules" panel like in the image below to prevent unauthorized operations:
来源:https://stackoverflow.com/questions/42101663/firebase-database-secure-without-firebase-auth