0

I want to configure a Firebase database so that it only accepts connections from my iOS App.

I have no problem in configuring rules to manage access from authenticated users, etc..., but i want to know what is the best approach to prevent connections from other Apps than mine.

How can i do that?

To be more concrete to the user case. My App is a service and the users can register to use it authenticating with twitter and Facebook. Users will pay for the service, and the App will use Firebase as the backend, and that means that i will pay for the Firebase service. Users pay me, and i pay Firebase. So that is the reason that i only want that my App is the only one that connects and uses the Firebase database. And i think this is the common case out there. Other backend services as Parse, allow you to do this by using a secret key when the App connects.

vicentevicens
  • 1
  • 2
  • Can you explain the use case for this? Specifically, if a user has valid auth credentials, why would it matter where they connect from? It sounds suspiciously like "how do I prevent things in the cloud from being in the cloud." Understanding this should help narrow the scope of answering. – Kato Apr 19 '14 at 16:02
  • The data stored in Firebase has been curated and it is meant to be consumed by the iOS App. This data is part of the value that the iOS App gives to its users, and for that it can not be accessed from anywhere else. – vicentevicens Apr 19 '14 at 16:13
  • And is there some means a server in the cloud can use to ensure a request is received from an app versus a browser, other than the browser signature (which can of course be faked)? I can provide the Firebase part for securing the data, but not tell you how any web service can ensure a connected device is one type or another. – Kato Apr 19 '14 at 16:18
  • Hi Kato. I am not interested in knowing the type of device or if it is a web or mobile. What i want is that the App could authenticate itself like the user does. Think of it as a social App. On one side i want to let users to authenticate themselves using twitter and Facebook, etc... On the other side i only want the the use the data trough my service (my App). Both sides makes the business posible. – vicentevicens Apr 19 '14 at 16:28
  • Would it be reasonable to have the app register in some manner with a service, so that each instance of the app receives a unique identifier? If so, I could explain how this might be utilized. – Kato Apr 19 '14 at 16:35
  • As you can see from my line of questions, your use case here is extremely vague and doesn't really capture the essence of your question. It would be extremely helpful if you laid out a specific, detailed use case to solve in the question. – Kato Apr 19 '14 at 16:37
  • Thanks Kato. To be more concrete to the user case. My App is a service and the users can register to use it authenticating with twitter and Facebook. Users will pay for the service, and the App will use Firebase as the backend, and that means that i will pay for the Firebase service. Users pay me, and i pay Firebase. So that is the reason that i only want that my App is the only one that connects and uses the Firebase database. And i think this is the common case out there. Other backend services as Parse, allow you to do this by using a secret key when the App connects. – vicentevicens Apr 19 '14 at 16:50
  • If you can, update your question to reflect this for future readers. I'll take a stab at answering it. – Kato Apr 19 '14 at 16:51
  • I have just updated it :-) – vicentevicens Apr 19 '14 at 16:52

1 Answers1

4

If I understand the question correctly, the criteria are as follows:

  1. You offer a purchasable app that provides access to premium data
  2. Only paid customers should be able to read that data
  3. It is possible for users to log in with FirebaseSimpleLogin without downloading your app
  4. You would like to prevent this

Assuming all of this is correct, I see two quick answers:

Create your own auth tokens

Since FirebaseSimpleLogin is available from in the cloud, you won't be able to prevent users from authenticating based on device. But FirebaseSimpleLogin is just a wrapper on the token generator, so nothing stops you from generating your own.

#!/usr/bin/env node

var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator(YOUR_FIREBASE_SECRET);

if( validateUserIsFromiOSApp() ) {
   var token = tokenGenerator.createToken({id: userId});
}

function validateUserIsFromiOSApp() { /* ??? */ }

Now one can simply turn off simple login and users will have no way to authenticate without first obtaining a valid token from your service. Security rules here are proprietary, but would contain something like this:

".read": "auth.uid !== null"

With some creativity, depending on the use case for requiring twitter/facebook auth, you might be able to bypass the entire auth process by simply having the app request a token when it registers and never forcing the user to authenticate at all.

Using some meta data in conjunction with simple login

Of course, simple login is by definition simple, and does not require a server process. You could utilize this by storing information about which users have purchased your app:

  1. user purchases app from store
  2. during receipt of transaction, you store user id and purchase record in Firebase
  3. use simple login auth as normal
  4. add a security rule to ensure user has purchased the app

The security rule would look something like this:

".read": "root.child('purchase_receipts/'+auth.uid).exists()"

Additional reading:

Rob DiMarco
  • 13,226
  • 1
  • 43
  • 55
Kato
  • 40,352
  • 6
  • 119
  • 149