swiftfirebasegoogle-cloud-firestorefirebase-securitydatabase-security

Firebase/Firestore - database has insecure rules?


I have a SwiftUI application, which uses Firebase as a back end, and my rules are something like this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // This rule allows anyone on the internet to view, edit, and delete
    // all data in your Firestore database. It is useful for getting
    // started, but it is configured to expire after 30 days because it
    // leaves your app open to attackers. At that time, all client
    // requests to your Firestore database will be denied.
    //
    // Make sure to write security rules for your app before that time, or else
    // your app will lose access to your Firestore database
    match /{document=**} {
      allow read, write: if request.time < timestamp.date(2020, 10, 28);
    }
  }
}

I understand that these rules allow anyone to read and write to the database. However, as long as they are only using the API provided to the them in the application, how is this insecure? For instance, I could understand the danger, if, say, someone took the xcode project from my laptop and created a button that deleted all users in the database. But, no one will have access to this code.

I do want users to be able to read and write to/from the database, so I was just wondering if these rules are insecure, and, if so why? Like what is an example of how a hacker with malicious intent could exploit these rules to gain unauthorized access to user information and/or somehow modify the database in a way that the API provided in my application does not allow?

Thank you.


Solution

  • as long as they are only using the API provided to the them in the application

    This is precisely the problem.

    Your app contains all the configuration needed to connect to the database (and other resources in your Firebase project). A malicious user can take this configuration data, and call the API themselves - thus bypassing any of your client-side logic.

    While you can configure Firebase App Check to help only allow access to the database is coming from your code, that is no guarantee and somebody else's might still use their code with your configuration data.

    That's why it's crucial that you also encode your business logic in your security rules. Say that your application code only allows the user to delete their own account from the database, you'll then also want to encode that logic in your security rules so that they're enforced on the server. This is a variation of what the Firebase documentation on securing your database describes as content-owner only access.