3

My Android app uses to sign in to access the data in Real-time database. I don't want anyone to make any changes in the database outside of my app. If someone got the Firebase JSON file by extracting it from the Android APK file and if they have an account in my app, can they create a web app (or a mobileapp) to login with the credential and access my app database?

I have set the security rules such that user can access only what they are suppose to access and I have done validations (like isNumber) but only basic validations can be done in the server side.

So if he can login outside of my app, he will be able to bypass the validations I do in the app.

Also additionally, I want to know if someone got access to that JSON file, can he also create new users?

AL.
  • 36,815
  • 10
  • 142
  • 281
Iqbal Inzamam
  • 73
  • 1
  • 6
  • 1
    Creating users is not a security risk, it just identifies them. But indeed: if somebody writes an app for your database and adheres to your security rules, they can indeed access the data. That is the nature of a client-side accessible cloud database. But it is possible to secure a database quite well using Firebase's security rules. They are not just for basic validations. – Frank van Puffelen Jan 19 '17 at 22:40
  • 2
    Some relevant answers: [1](http://stackoverflow.com/q/36943350/), [2](http://stackoverflow.com/q/37907879), [3](http://stackoverflow.com/q/38954301/), [4](http://stackoverflow.com/q/39133918/) and [5](http://stackoverflow.com/questions/18005984/how-to-prevent-other-access-to-my-firebase) – Frank van Puffelen Jan 19 '17 at 22:44

0 Answers0