I am creating Android application with Firestore. My app does not require authentication. Is there any security rule to allows everyone read & write to firestore, but only via my app?
I have tried to find some rules, but each of them based on authentication.
Thank you for your help!
The closest you can get to this is by implementing App Check and enforcing that for Firestore. While this is a great step to reduce abuse, even with App Check there's no guarantee that all access to your Cloud Firestore database will come from your own application.
Since your application needs to know all the details that are needed to access the database, a malicious user can take those details and replicate them with code of their own.
To properly secure access to your database, you'll also have to use Firebase's security rules. These are enforced on the server, so can't be by-passed by a malicious user. The logic here is that as long as the interactions with the database follow the rules you've set up, it doesn't really matter who wrote the code.
If you don't want your users to have to enter credentials to use the app, you can sign them in using anonymous authentication.
Also see: