问题描述
我在Play商店中发布了一个应用,我想在该应用中实现Firebase.
I have an app published on the play store, I want to implement firebase in the app.
我已经阅读了所有文档,并且有两个疑问:
I have read all the documentation and I have two doubts:
-
如果有人在我的应用程序中使用apk反编译器并获取googleservices.json,他们可以对数据库执行任何操作吗?
If someone use apk decompiler with my app and get the googleservices.json, they can do whatever they want with the database?
在没有用户登录的情况下我的数据库是否安全?
It is possible that my database is secure without having the user logged-in?
我将不胜感激
推荐答案
-
某人可以阅读您的 googleservices.json 的事实并不涉及安全漏洞.如果您正确配置了Firebase项目,您会注意到在"项目设置"面板中有一个SHA-1签名要添加.如果您添加调试/生产密钥库的签名,则只有具有特定签名的应用会使用googleservices.json的数据与Firebase平台进行通信. (如果您决定不提供SHA-1,则Google将使用其他方式作为标识机制,如此处)
The fact that someone can read your googleservices.json doesn't involve security holes. If you configured your Firebase project correctly, you will notice that in the "Project Settings" panel there is a SHA-1 signature to add. If you add the signature of your debug/production keystore, only apps with the specific signature con use the data of googleservices.json to communicate with your Firebase platform. (If you decide to not provide a SHA-1, Google will use something else as identification mechanism as described here)
这个问题不是很清楚.您的数据库每次都是安全的.如果您的用户未登录,则可能无法与数据库进行通信.请记住,用户只能看到自己的数据,因此,如果您的应用逻辑正确,则登录用户将不能看到其他人的敏感数据.此外,请记住不要像下面的图片那样在"规则"面板中更改数据库/存储连接规则,以防止未经授权的操作:
This question is not very clear. Your database is safe everytime. If your user is not logged in, probably he will not able to communicate with the database. Remember that a user should only be able to see it's own data, so if your app logic is correct a logged user shouldn't be able to see other peoples sensitive data. Moreover remember to not change the database/storage connection rules in the "Rules" panel like in the image below to prevent unauthorized operations:
这篇关于无Firebase身份验证的Firebase数据库安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!