Search code examples
androidfirebasegoogle-cloud-platformgoogle-cloud-firestorefirebase-security

How can an attacker will be able to access my cloud firestore database, If I have not setup any cloud firestore security rules

Example:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

{
  "project_info": {
    "project_number": "project-number",
    "project_id": "project-id",
    "storage_bucket": "project-storage-bucket"
  },
  "client": [
    {
      "client_info": {
        "mobilesdk_app_id": "mobilesdk_app_id",
        "android_client_info": {
          "package_name": "com.example.sample"
        }
      },
      "oauth_client": [
        {
          "client_id": "client_id..apps.googleusercontent.com",
          "client_type": 3
        }
      ],
      "api_key": [
        {
          "current_key": "api_key"
        }
      ],
      "services": {
        "appinvite_service": {
          "other_platform_oauth_client": [
            {
              "client_id": "client_id.apps.googleusercontent.com",
              "client_type": 3
            }
          ]
        }
      }
    }
  ],
  "configuration_version": "1"
}

I am building an Android app that will be using Cloud Firestore. I know that an attacker can decompile the app and get the google-services.json file.

But then how will they know the database details like database ID etc?

Solution

  • Your question says, the title: "How can an attacker will be able to access my cloud firestore database, If I have not setup any cloud firestore security rules?" Yet, the question goes on to show the rules you have set. Every Firestore database created through the Firebase console has security rules, even if you didn't set them yourself.

    Your rules, in particular, match all documents in all subcollections (match /{document=**}) and allow full read/write access to all of those documents (allow read, write: if true).

    I know that an attacker can decompile the app and get the google-services.json file. But then how will they know the database details like database ID etc?

    With Firestore, the ID of the default database is the same as the ID of your project. That ID is sitting right there in the google-service.json file you mentioned. In your fake example, the project ID is "project-id". This is public information once your app is published, as is all of the instructions your app contains that accesses Firestore documents. Someone with your public source code (or just watching the network access of your app) can know the names of all the collections your app accesses.

    Using only the project ID and the names of documents and collection, anyone can use the Firebase SDK to reproduce that access. All they have to do is intitialize the Firesbase SDK with the same contents as the public google-service.json. Or, they could even use the Firestore REST API to directly access your database contents without needing any SDK at all.

    If you don't want your database to be fully public like this, you will need to spend time integrating security tools like Firebase Authentication, Firebase App Check, and good security rules that limit access to the database to only the authenticated users who should have access.