while working on security always remember that you should not trust client side data ever ! You can add validations on Client side and it's good practise to avoid loading of server but you should always perform same validation on server side.
First start scanning your client side and then slowly move towards your server side :
Detailed article about client side security from react native team :
https://reactnative.dev/docs/security
other refs:
https://stackoverflow.com/questions/55856221/what-is-the-most-secure-way-store-keys-in-react-native
Backend server side security :
Full check list from firebase team : https://firebase.google.com/support/guides/security-checklist
https://developers.google.com/learn/pathways/firebase-security-layers
https://firebase.blog/posts/2019/03/firebase-security-rules-admin-sdk-tips
https://www.youtube.com/watch?v=pvLkkLjHdkw
https://www.youtube.com/watch?v=BGCLPiR_0Lg
https://www.youtube.com/watch?v=oFlHzF5U-HA
Let's try to understand some common attacks on server side :
1) DDoS Attack :
Though this is not perfect but firebase provides facility for app check so that you can be assume that request is coming from verified app.
https://firebase.google.com/docs/app-check
App check for functions : https://firebase.google.com/docs/app-check/cloud-functions?authuser=0&hl=en
You can also setup cloudflare between firebase and your app and allow only certain origin.
2) Man In the middle?
Man in the middle attack is common for uncrypted data, so always use encrypted Endpoints.
Luckily firebase cloud function calls are E2E encypted.
Still it recommeded that you more sensitive information we come up with our own encyption mechanism.
3) Protect Your FireStore:
Always remember write your security rules. Make your self confirtable with security rules and write them carefully.
ref:
https://www.youtube.com/watch?v=eW5MdE3ZcAw
https://www.youtube.com/watch?v=QEuu9X9L-MU&t=119s
https://www.youtube.com/watch?v=8Mzb9zmnbJs
https://www.youtube.com/watch?v=TglPc74M3DM
4) Be carefull about your NPM packages :
You can check all vulnerabilities on:
https://security.snyk.io/package/npm/firebase
5) Storing secrets in google cloud :
https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#create
https://cloud.google.com/functions/docs/configuring/secrets
https://cloud.google.com/secret-manager/docs/reference/libraries#client-libraries-install-nodejs
5) Some already happned hacking:
How to NOT get a 30K Firebase Bill : https://www.youtube.com/watch?v=Lb-Pnytoi-8
Basic hacking for firebase : https://www.youtube.com/watch?v=mnTLrNrk93Q
https://stackoverflow.com/questions/67061264/is-it-possible-to-hack-and-update-a-firebase-realtime-database-data
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/buckets/firebase-database
No comments:
Post a Comment