I've just had an Android Firebase app penetration tested, and the tester found a file com.google.Firebase.auth.api.xml within Shared Preferences. It contained the access_token + refresh_token (which could be used to access the Firebase API).
Has anyone else experienced this vulnerability and know the best way to fix it?
(I can't work out or understand why this information is being stored locally, I've taken a look through the Firebase documentation and through my app and as far as I can tell everything is integrated properly. The app itself uses Firebase as the backend server which handles logins, authentication, Firestore and Storage)
Any help would be massively appreciated.
Got in touch with Firebase and this is the response for anyone interested:
"I understand your concern, as you have said the file is used to re-authenticate the user, however, those values are set after a successful login and the SDK updates that file each hour. The vulnerabilities that you may have noticed should be related to modifying information related to that specific user and the features or data the user has access to. Please remember that the Firebase security is not only on the Authentication product, they are more tools that enforce the security in a Firebase application, that is the reason why your Security Rules should avoid insecure rules and match with your business model."
Related
After looking at firebase documentation for hours I figured out that the only way to avoid a reCaptcha while phone authentication is using Safety Net. But even after I read the documentation and implementated attest() method, the phone authentication doesn't work.
Code used for safety net before Phone auth in firebase
Firebase Auth does not require firebase App Check. Firebase App Check if for protecting the data and firebase auth if always protected by google and only the connected app can access. So you need not add Firebase App Check.Or if this is not the case, please make sure that the phoneNumber Verification is enabled
but remember, till now firebase has not implemented anything to remove the reCaptcha
I have developed an android app that directly interacts with the MongoDB for insertion and fetching the data.
I have credentials stored inside a config file of android app that I read inside the app.
mongoDBConnection:
credentials:
username: "test"
password: "test"
database: "admin"
connectionString: "mongodb://localhost:27017"
The app works as expected when installed on a phone, the worry that I have is if I ship the app can anyone decompile the app and retrieve the credentials back?
To solve the issue, the android app can interact with a backend which will route requests to mongoDB and monogo credential are stored in that backend.
I wanted to get inputs on before implementing the backend on whether a backend is required or is there any way in android app itself to store the credentials such that it does not get exposed when decompiled?
if I ship the app can anyone decompile the app and retrieve the credentials back?
Yes.
is there any way in android app itself to store the credentials such that it does not get exposed when decompiled?
No, this isn't possible. You can obfuscate them to make it harder, but it's impossible to prevent a sufficiently skilled/determined attacker from retrieving them if the app has them.
To solve the issue, the android app can interact with a backend which will route requests to mongoDB and monogo credential are stored in that backend.
This is the only way to do this, and the correct solution.
if I ship the app can anyone decompile the app and retrieve the
credentials back?
Technically yes. But if you use proguard it will be really hard for someone to figure out your DB credentials. This can be your first line of defense
is there any way in android app itself to store the credentials such
that it does not get exposed when decompiled?
Yes. Use Keystore.
Follow this article
The company that I work for has some small android applications running that communicate with their ERP software lately they requested to authenticate users and have sessions for safety reasons
Instead of integrating the autheticate and session code into every app (6) I want to build an Android app that acts like a dashboard. The app will authenticate the user, create a session and show the available apps on the device that the user can access with their user role.
The problem is I need the know which app requires which user role
I don't want to store this information in the dashboard app sinds that will require me to update the dashboard app each time i create or change an app
I was thinking or using an Content provider but that seems to be a lot of work and redundant since it has to be integrated into every app that I have (6)
So my question, is there a way to get data from apps that can easily be implemented. The data isn't big (only one Integer)
thanks in advance.
I have a restaurant app showing profiles of the chefs we got...
I set a Firebase database where users can rate each chef..
yet I want to get a unique id for each installation of the app which is persistent with time, so that a user can re-submit a rate for a chef yet he's contributing to the whole rate only once..
is there such an id ?
is there a better way to do so?
thanks in advance, great people..
If your users sign in with Firebase Authentication, you'd typically use their UID for this purpose.
That would prevent them from rating the same check multiple times, even if they use the same app on multiple devices, or reinstall it on the same device.
If you're not (yet) using Firebase Authentication, I'd recommend adding it for this use-case anyway. You can use it without requiring your users to sign in, by using anonymous authentication. This is as simple as calling:
FirebaseAuth.getInstance().signInAnonymously();
But follow the instructions in the documentation to ensure you don't create a new UID every time the app runs.
I am developing an Android App where I require a user to authenticate his session before using the app. One way is to store a user name and password by asking him to register on the app and then use that to authenticate him. But i was looking to do something else, maybe use an OpenId account to authenticate or Opensoial or something like Facebook Connect. Any Suggestions and comments? thanks for you help.
Using OpenID is a great idea in fact. You can use the OpenID4Java library. As you can read here, someone has modified that project in order to make it Android compatible.
I know this is an old question but i found this while asking a newer question.
Just an idea but have you looked at the account manager? What version of android are you targeting?
The sample sync adapter example (http://developer.android.com/resources/samples/SampleSyncAdapter/index.html) uses the account manager (http://developer.android.com/reference/android/accounts/AccountManager.html)
It looks like a more secure way of using credentials on a native android client because you don't have to store the password at all locally in your app.