I am currently trying to asses the security level of an experimental IoT device I made, which uses the ESP32 to "write" its state in a Firebase database. Currently, I am using database secrets in order to connect to the database. The way to establish the connection is passing the values called FIREBASE_HOST (the databases URL) and FIREBASE_AUTH (which is the secret).
What fears me is that, as the secret is written in the code directly, malicious agents could potentially see that piece of code and retrieve the databases secret.
So that's the question I have, could someone who is connected wirelessly or physically (if it were possible) to the ESP32 scan its running code to get the secret token?
Everything - the code, the data, the non-volatile storage - in an ESP32 system is stored in an external Flash chip. This means that with physical access to the device the content of the Flash chip can be read by anyone. I could just connect the debugger to the device and read the entire Flash using the official Espressif tools. If the debug interface is not available, I could just attach to the Flash chip directly (I could build my own Flash interface using another ESP32 and rewire the Flash connections to it) and read it without even powering up the ESP32 micro. If your secrets are stored in there unencrypted, they're exposed via physical access. Don't know about WiFi, so will defer to someone more knowledgeable.
The solution to this problem on the device side is to encrypt the Flash and only boot signed binaries.