Friday, 12 August 2022

Making secure apps with Firebase and react native

while working on security always remember that you should not trust client side data ever ! You can add validations on Client side and it's good practise to avoid loading of server but you should always perform same validation on server side.

First start scanning your client side and then slowly move towards your server side :



Detailed article about client side security from react native team :
https://reactnative.dev/docs/security

other refs:

https://stackoverflow.com/questions/55856221/what-is-the-most-secure-way-store-keys-in-react-native


Backend server side security :

Full check list from firebase team : https://firebase.google.com/support/guides/security-checklist

https://developers.google.com/learn/pathways/firebase-security-layers

https://firebase.blog/posts/2019/03/firebase-security-rules-admin-sdk-tips

https://www.youtube.com/watch?v=pvLkkLjHdkw

https://www.youtube.com/watch?v=BGCLPiR_0Lg

https://www.youtube.com/watch?v=oFlHzF5U-HA


Let's try to understand some common attacks on server side :


1) DDoS Attack :

Though this is not perfect but firebase provides facility for app check so that you can be assume that request is coming from verified app.

https://firebase.google.com/docs/app-check

App check for functions : https://firebase.google.com/docs/app-check/cloud-functions?authuser=0&hl=en

You can also setup cloudflare between firebase and your app and allow only certain origin.


2) Man In the middle? 

Man in the middle attack is common for uncrypted data, so always use encrypted Endpoints.

Luckily firebase cloud function calls are E2E encypted.
Still it recommeded that you more sensitive information we come up with our own encyption mechanism.


3) Protect Your FireStore:

Always remember write your security rules. Make your self confirtable with security rules and write them carefully.

ref:

https://www.youtube.com/watch?v=eW5MdE3ZcAw

https://www.youtube.com/watch?v=QEuu9X9L-MU&t=119s

https://www.youtube.com/watch?v=8Mzb9zmnbJs

https://www.youtube.com/watch?v=TglPc74M3DM


4) Be carefull about your NPM packages :

You can check all vulnerabilities on:

https://security.snyk.io/package/npm/firebase


5) Storing secrets in google cloud :

https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#create

https://cloud.google.com/functions/docs/configuring/secrets

https://cloud.google.com/secret-manager/docs/reference/libraries#client-libraries-install-nodejs



5) Some already happned hacking:

How to NOT get a 30K Firebase Bill : https://www.youtube.com/watch?v=Lb-Pnytoi-8

Basic hacking for firebase : https://www.youtube.com/watch?v=mnTLrNrk93Q

https://stackoverflow.com/questions/67061264/is-it-possible-to-hack-and-update-a-firebase-realtime-database-data

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/buckets/firebase-database




Posted by at No comments:
Subscribe to: Posts (Atom)