In this video, Mike McDonald, Google Cloud Platform Product Manager, elaborates on building secure mobile applications with Google Firebase.
At 0:27, he begins by introducing how in his experience many apps are surprisingly insecure, where one can easily reach out and download their entire database since they have missed out following some basic practices for securing mobile applications.
At 1:27, he briefs that there are some ambient concerns like authenticating the users, validation of the schema since there will be writing of the data to the database or some other API (Application Programming Interface).
At 1:41, he briefs that running and managing the infrastructure must also be done along with the operating system or the language running updates.
The role of Access Token
At 6:34, Mr. Mike elaborates on the user of the access token for the unique identification purpose. The Access token is the opaque string which represents a specific user. That access token is taken in the firebase auth, this will eventually convey details that the specific user is signed in via the Google with the access token.
At 10:01, he sputs forward the steps involved in validating the users. The steps would be authentication, authorization, schema validation, and business logic. He further elaborates that the security rules stand between the client and the backend. These security rules provide the fine-grained Attribute-Based Access Control (ABAC)
At 15:02, he mentions the basic pre-function identities. He begins by stating that all the functions or applications share the very same identity. This identity can generally be set on a per-function mode in order to provide the least privilege. The access token plays a role in the identification of the users. At 21.35, Mr. Mike briefs about Protocol buffer. He mentions the buffer to be a method of defining the schema, independent of the programming languages, which is like the interface definition language.
Role-Based Access Control
At 26:35, he briefs about the Role-Based Access Control (RBAC). He mentions that here, the identification and security controls happen with regard to the role of the individual. He adds on that the data can be looked up in the database and the creation of the access control list on the database is also a possibility.
At 30:02, he briefs that the custom claims are often a kind of panacea, for all the authentication needs. The max size would be 1 KB and customers can put only a small amount of static data. These values get refreshed when the token refreshes which are roughly 1 hour.
At 33:41, Mr. Mike briefs on the organization controls where he mentions that with the Firebas’s direct- from mobile access, there is a huge possibility of several attack vendors. He adds on that it’s vital to know the various possible attacks, on how the app can be secured from the malicious actors.
He concludes by mentioning that with Firebases, managing the databased in a secure manner can be achieved to a great extent with the help of Firestore as well in building secure mobile applications.