After looking at firebase documentation for hours I figured out that the only way to avoid a reCaptcha while phone authentication is using Safety Net. But even after I read the documentation and implementated attest() method, the phone authentication doesn't work.
Code used for safety net before Phone auth in firebase
Firebase Auth does not require firebase App Check. Firebase App Check if for protecting the data and firebase auth if always protected by google and only the connected app can access. So you need not add Firebase App Check.Or if this is not the case, please make sure that the phoneNumber Verification is enabled
but remember, till now firebase has not implemented anything to remove the reCaptcha
Related
I've just had an Android Firebase app penetration tested, and the tester found a file com.google.Firebase.auth.api.xml within Shared Preferences. It contained the access_token + refresh_token (which could be used to access the Firebase API).
Has anyone else experienced this vulnerability and know the best way to fix it?
(I can't work out or understand why this information is being stored locally, I've taken a look through the Firebase documentation and through my app and as far as I can tell everything is integrated properly. The app itself uses Firebase as the backend server which handles logins, authentication, Firestore and Storage)
Any help would be massively appreciated.
Got in touch with Firebase and this is the response for anyone interested:
"I understand your concern, as you have said the file is used to re-authenticate the user, however, those values are set after a successful login and the SDK updates that file each hour. The vulnerabilities that you may have noticed should be related to modifying information related to that specific user and the features or data the user has access to. Please remember that the Firebase security is not only on the Authentication product, they are more tools that enforce the security in a Firebase application, that is the reason why your Security Rules should avoid insecure rules and match with your business model."
I'm creating an application which is going to be active for first 30 days and after that the user should get automatically log out from application itself (as user's account will be deactivated), or is there is any workaround for the same because I can disable accounts from Firebase Console but that doesn't affect any user if they remains logged In.
Mainly I wanted this for Android Studio, I can do the required method through Firebase Database itself but just wanted to know if there is any alternate method available.
If you are asking how to disable a Firebase Authentication user account, that's not possible from within web or mobile application code. You can instead write backend code using the Firebase Admin SDK.
You can disable the account by updating the user and setting the disabled flag to true. Or you can delete the account entirely if you are done with it.
I'm developing an android banking app and want users to stay logged in even after app is shut down. My idea to make this as secure as possible was to store a unique device id in the JWT and then extract the id from the token and compare it to the device id fetched from device at startup of app.
I would store the token in SharedPreferences, however, I just read that these device id's are not always unique due to people rooting they're phones. What would be the best solution? How can I be sure that the token I'm verifying at startup, is given to that user/device? I don't necessarily need to use device id's so any other secure option is welcome.
I don't think it's a good idea to have a persistable login session inside something as sensitive as banking app, but if you insist:
Use SafetyNet Attestation API for checking if the device you're running your app on is rooted and if it is, prevent the user from interacting. Once you did that just use regular SharedPreferences with Mode.PRIVATE and no one should be able to read this data outside of your app.
I have just developed a new Android app for my company.
On the home page of the app we would like to display a number of our companies latest Facebook posts.
When send the request to the API i am receiving the error
"message": "(#200) Access to this data is temporarily disabled for non-active apps or apps that have not recently accessed this data due to changes we are making to the Facebook Platform. https://developers.facebook.com/status/issues/205942813488872/"
I have looked into this extensively and understand it is due to Facebook upgrading their APIs due to the recent data breach.
Within the app i have successfully implemented the Facebook Login API and can retrieve a new access token for the user.
I have generated all the necessary hash keys for the android app and have set it all up correctly on the facebook developer console.
I can achieve the functionality i require by getting the Access token from the Facebook developers Graph API Explorer however, this is not a good implementation as it is linked to my Facebook account and also only lasts for an hour.
The Facebook API states that public pages can be accessible using any user access token.
Is there currently anyway at all to use a user access token generated from the user login to retrieve a Facebook page data.
the only data i wish to retrieve is; the message, the time created and the image.
Is this possible with the current state of the Graph API or is it just a waiting game to see what Facebook will do next in the coming weeks?
Thanks.
I'm developing an android app and I want to insert a chat into it.
I read I could use FCM(Firebase Cloud Messaging) to develop the chat, but I want to know one thing: is it possible to use FCM without logging in with google credentials on my app?
Yes. You can use Firebase Cloud Messaging without requiring the users of your app to sign in. Each app instance is identified by a so-called FCM token. See https://firebase.google.com/docs/cloud-messaging/android/client
Firebase realtime db can be used to create chat apps in tandem with usage of Firebase cloud messaging. However if you want to keep the DB safe and secured, you will need some form of Authentication.
This does not necessarily have to be google auth. Check out Firebase Auth and the methods they support.
Alternatively, you can use Google oauth apis to generate an Auth token and use them with Firebase REST apis and not have to use Firebase auth.
Summary: Yes you can build the chat app with Firebase RTDB and FCM without google auth or any auth. But it's advisable to use some for of Auth (Firebase auth, Google oauth, Twitter oauth or Facebook oauth are such examples)