How to secure my Firebase API key?

Get help using Construct 2

Post » Mon Jul 31, 2017 2:32 pm

I want to secure my firebase database for my mobile app and recently I've found that data.js contains API key for the FirebaseAPIV.3 (rex's plugin).
My questions here are :
1. Is it normal (or safe) for my app to contain Firebase API key data?
2. Is it possible for someone to alter my app and sabotage my database using their altered version of my app? (considered that I haven't done any server side security)
3. Do I have anything else for the security matters to be concerned of?
B
13
S
2
Posts: 31
Reputation: 699

Post » Thu Aug 03, 2017 8:57 pm

If you give your master API key to all of your users, they will have the same permissions with your database as you do.

1. Yes, but you should generate more keys for each of your users (or at least for each user group, like Player)
2. Yes. (Assuming the API key is used as a session ID)
3. Authorization will allow you to give each user group fine-grained control over what they .read or .write to.

We're going to assume that Google takes care of the deeper security aspects.

Although, this fellow seems to disagree: https://stackoverflow.com/questions/374 ... the-public
I would still make a separate API key for your users though, just to be safe.
https://www.ravenheart.ca/home
I don't check the forums much anymore, but I will receive an email for PMs.

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,418
Reputation: 4,830

Post » Sat Aug 05, 2017 7:46 pm

I think it might be better to get rexrainbow to encrypt the key in the plug, or at least allow users to set what the key is at runtime which we can in turn encrypt/ decrypt ourselves via some other plug.
But you need to make a post in his thread about the plug, otherwise he may not see this.
It's not like he's not super busy with other stuff.
Image ImageImage
B
169
S
50
G
174
Posts: 8,330
Reputation: 110,804

Post » Mon Aug 07, 2017 4:26 pm

newt wrote:I think it might be better to get rexrainbow to encrypt the key in the plug, or at least allow users to set what the key is at runtime which we can in turn encrypt/ decrypt ourselves via some other plug.
But you need to make a post in his thread about the plug, otherwise he may not see this.
It's not like he's not super busy with other stuff.

Finally reply is working.

Thanks but using gumshoe method is doing just fine for me.
The only thing that bothering me now is rex authentication plugin doesn't work on mobile webview. I still haven't found the solution yet but I my assumption is it has something to do with in app deeplinks (or universal links). I'm still solving the problem.
B
13
S
2
Posts: 31
Reputation: 699

Post » Tue Aug 08, 2017 3:54 pm

newt wrote:I think it might be better to get rexrainbow to encrypt the key in the plug, or at least allow users to set what the key is at runtime which we can in turn encrypt/ decrypt ourselves via some other plug.
But you need to make a post in his thread about the plug, otherwise he may not see this.
It's not like he's not super busy with other stuff.


You can't really encrypt anything in the browser, because people can simply take your key and encryption algorithm and decrypt the key in the source. Javascript is never secure. :(
https://www.ravenheart.ca/home
I don't check the forums much anymore, but I will receive an email for PMs.

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,418
Reputation: 4,830

Post » Tue Aug 08, 2017 4:58 pm

Beyond the exception of the would be hacker figuring out the encryption type, which would indeed be exceptional, you can also obfuscate strings by simply splitting it up, and make them guess the true order. Ascertaining that from the runtime would also be horribly complicated, even without minification.
Image ImageImage
B
169
S
50
G
174
Posts: 8,330
Reputation: 110,804


Return to How do I....?

Who is online

Users browsing this forum: Kin and 40 guests