问题
I have some concerns about using Firestore directly from mobile clients. I saw that with Firestore, mobile app is controls to db directly. There is only db side control is rules. However I am not yet understand how can I resolve my concerns. I worrying because with decompiling app or any other ways maybe someone can access maliciously.
To resolve my concerns and improve the security I want to:
- Limit access per time for user. For example if some one writes or reads db 30 second ago I want to block their access until 1 minute. Especially it is important for writing.
- I want to have the only document owner write their documents and block others to write. For do this I don't want to store owner id in same document because if I put this information to there, readers can receive this information and maybe some way they can write request with this information.
In summary, I want to prevent malicious and excessive requests exceeding limits. I want to avoid the risks in db side. How can I resolve my concerns in the two above matter?
Scenerio:
Think that there is harmful someone with name X. X knows how to decompile mobile app or maybe knows how to request my application's firebase Firestore account (maybe watched communication I don't know). X wants to harm my application. First X watching communication and if we give owner userid in document X receives needed information so sending request with changing his/her userid or auth.uuid. Secondly X wants to disable firebase of my application. For do this X sends too much requests. The limit is overs due to too many requests. Note that: I am using Firestore directly with mobile application. There is no web service to communicate.
How can avoid this scenario?
来源:https://stackoverflow.com/questions/56483932/using-firebase-firestore-with-mobile-clients-directly-is-secure-enough-how-can