How to provide Firestore Authentication in Android?

I am making an Android Application to manage finances. Each user has their own details under the collection users in my database financier. I am not using any type of Sign-In method. It is a custom sign up with my custom form.

For now, I have been changing the database rules to accept any request before a given date as the application is under development.

I want the users to operate under my credentials. I am not thinking of publishing this application anywhere, but I want the application to be authenticated, like using the service-account-key.json in NodeJs.

If I put the JSON file in my project, will it be exported at the time of exporting the APK? If so, will any user be able to get the credentials to my database by taking out the JSON file?

Answer

If I understand you correctly you’re thinking of including your service account credentials in an app, that you then ship to your users. I highly recommend against doing that.

Any information you include in the APK, or that is loaded by the app at runtime, can in principle be intercepting by users of that app. And if they do so, the service account credentials will give them full, unrestricted access to your project.


The most common way to secure access is by signing the user’s in to Firebase Authentication, and using that information in the security rules of your database, and in Cloud Functions.

You can either have them sign in with an existing provider, build your own custom provider, or even use anonymous authentication (which means they don’t have to enter any credentials). What all of these have in common is that the user gets a UID, and a token, that is passed to the server and database with each request, and that can’t be forged.

That’s actually another of the dangers of including your service account credentials in your APK: they’d allow a malicious user to forge their own tokens/UIDs for your project.


An alternative that doesn’t require signing in with Firebase Authentication is to route all access to the data to a custom backend that you code, either on your own server, or in Cloud Functions. But this means that you’ll have to ensure all access is authorized in that server-side code too. So you’d essentially be writing in server-side code, what you’d otherwise write in Firebase’s server-side security rules.

Leave a Reply

Your email address will not be published. Required fields are marked *