Is Firebase Secure?

It was a revelation to us when auditing a Firebase app, that Firebase itself has some security flaws. My blog post showing the evidence of that gained some attention, so I thought it might be good to give a wider view of whether the platform is secure or not, and what kinds of data it might be suitable or unsuitable for.

Outside of any security issues, Firebase is a great back end system for apps. It’s reliable, easy to develop with, and relatively cost effective. Security-wise its featureset is limited and so readily testable to hackers like us, making it easily auditable. If a critical flaw did open up, there’s a reasonable chance, therefore, that it would be fixed very quickly.

In the following series of blog posts, I will be auditing Firebase to reveal any system-wide or architectural security problems it may have.

But that sort of problem isn’t what causes most critical security issues.

The security of any one instance of Firebase is down to the third party developer who set it up for their app. To be secure, Firebase must be configured securely by the developer who’s using it. And therein lies the problem.

This series of blog posts, therefore, is also focused on the common problems we see when we audit Firebase apps. Those easy-to-miss details which can easily introduce serious security flaws.

It’s easy to overlook security in Firebase

The problem is that Firebase is suitable for developers who don’t have the experience or understanding of how to secure their systems. Google had to create a system which allowed people to get started easily, so its default security rules had to be lax.

For example, within a few clicks you can create a Firestore database which allows anybody in the world complete access to all the data in it (both read and write). Google had to make it that way, because it meant you could write your code first and postpone learning about security til after. In other words, it made Firebase easy to learn. But the danger, of course, is that developers never get to learning the security bit, so they release apps which have been insecure from development to post-launch.

Of course, Google bugs you if you don’t bother to change the rules from the default, and these days even offers some other rules templates. But even so, we have more than once audited apps which have completely open databases and no security rules. That’s pretty insane: it meant the entire contents of the database — personal data, everything — was open for anyone to access and even edit for fun.

This series of posts

So I’m beginning a series of blog posts on this subject. The aim is to provide a pretty in-depth study of what we look for when auditing Firebase apps.

In each post I’ll be looking at a different Firebase product, starting this week with Firebase Auth.

I hope you find it helpful. And as ever, if you have any questions please do reach out.

Here’s the first post in the series: Is Firebase Auth Secure?

Tom Colvin is CTO of Conseal Security, the mobile app security experts; and Apptaura, the app development specialists.