Open in app

Sign in

Write

Sign in

The importance of firebase/firestore security rules (how I hacked my own app)

Damian Matyja
4 min readNov 23, 2020

Firebase/firestore is a great backend as it is very simple to implement into a mobile app. After adding dependencies into an app and providing a package name of an app to firebase, you are pretty much set up. But there is a risk. Improper implementation of security rules can lead to a serious breach which I will show in this article.

Let’s have a look at the official documentation of how to store users data:

Let’s make a simple user database with sample data. the app will be written in Java and will implement a simple structure for getting user location and writing it to firestore . The data will be stored in the ‘data’ collection and the document corresponding to user email.

Security rule to only allow logged in users to read and write to a database:

And this is how we are going to set String userEmail in the app itself:

Now lets write the data to the firestore:

And after succesful writing let’s read the data in the app by initializing readData method:

So everything seems ok and the database has the correct data:

So let’s assume there is a lot more users and therefore documents, and we know that our friend is using this app with his email hacked@test.com. But as we can only read our own data because the document is always set as a logged in user’s email, there is no way to access his data. Or is there? Let’s dive into apktool and decompile a final apk. I am using Kali Linux distro for this:

The app is decompiled, so we now open the .smali file and try to find the right document’s reference:

We don’t want the document to be set to userEmail so let’s replace it manually to the string email that we want to read data from and then recompile an apk:

Now we need to sign it, otherwise it will not be installed on a device:

Now that the app is installed we are able to read hacked@test.com’s data!

Ok, so it’s time to talk about how to prevent it. It is very simple: always validate who is accessing data by setting a security rule and set a document to userUID. userUID will not be stored anywhere on the device, it will be too difficult to brute-force and will be validated by the security rule below!

Thank you for your time, and happy and secure coding!

Firebase
Reverse Engineering
Programming
Android
Cybersecurity

--

--

Damian Matyja

Written by Damian Matyja

1 Follower

I am from Rzeszow, Poland and I'm coding for fun aside from my day job. Mostly in flutter, but Java too. I like to tinker with apps using apktool and Jadx.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams