简体繁体 English

限制对 Firebase 存储的访问，以便只有我的应用可以访问它

[英]Restrict access to Firebase storage so only my app can access it

原文 2018-08-07 13:12:14 0 3 ios/ firebase/ firebase-storage

That's my scenario: 1) I am developing an iOS app that uses Firebase storage.这就是我的场景：1）我正在开发一个使用 Firebase 存储的 iOS 应用程序。 2) My app has custom light-weight authentication mechanism based on Facebook login. 2）我的应用程序具有基于 Facebook 登录的自定义轻量级身份验证机制。 3) All authenticated users can access ANY data in firebase storage. 3) 所有经过身份验证的用户都可以访问 firebase 存储中的任何数据。 4) All others cannot. 4）所有其他人都不能。

All I want is to ensure that only my app can access storage.我只想确保只有我的应用程序可以访问存储。 If I would build my own server I would just evaluate each incoming request with some API Key, which is pre-set in app thus all requests coming from my app are resolved successfully.如果我要构建自己的服务器，我只会使用一些 API 密钥来评估每个传入的请求，这些 API 密钥是在应用程序中预先设置的，因此来自我的应用程序的所有请求都得到成功解决。 And if somebody other wants to use my API he should know API key.如果其他人想使用我的 API，他应该知道 API 密钥。

I see, this is not a solution for WEB-APP, because everybody can see source code (and API key) but this is ok for mobile app, where there is no such possibility.我明白了，这不是 WEB-APP 的解决方案，因为每个人都可以看到源代码（和 API 密钥），但这对于移动应用程序来说是可以的，没有这种可能性。

So my question is: should I bother about it or Firebase already does this work based on APIkey in config file.所以我的问题是：我应该为此烦恼还是 Firebase 已经根据配置文件中的 APIkey 完成了这项工作。 And in the case I should, what would you recommend?如果我应该，你会推荐什么？

Maybe I missed something in firebase's docs but I found them unclear about this particular issue.也许我错过了 firebase 文档中的某些内容，但我发现他们不清楚这个特定问题。

3 个解决方案

In normal circumstances, yes, all others cannot access the storage.在正常情况下，是的，所有其他人都无法访问存储。 But, nothing is 'unhackable'.但是，没有什么是“不可破解的”。

People could reverse engineered your app and getting the credential, api key etc. So the best way is to apply another layer of protection such as this (for iOS) and this (For Android) (just for your reference).人们可以对您的应用程序进行逆向工程并获取凭证、api 密钥等。因此，最好的方法是应用另一层保护，例如此（适用于 iOS）和此（适用于 Android）（仅供您参考）。 Still, it is hackable but it takes more effort, normally people would give up attacking it.尽管如此，它还是可以破解的，但需要更多的努力，通常人们会放弃攻击它。
I assume you are using the standard way of firebase which required you to download the config file.我假设您使用的是标准的 firebase 方式，这需要您下载配置文件。 Looking into the config file you placed in the project, it allows people to access the firebase features (firebase storage in this case) under your api-key usage.查看您放置在项目中的配置文件，它允许人们在您的 api-key 用法下访问 firebase 功能（在本例中为 firebase 存储）。 You could apply 2-way factor authentication (either from firebase auth or facebook auth) to authenticate genuine users .您可以应用2 路因素身份验证（来自 firebase auth 或 facebook auth）来验证真正的用户。

Hope it gives you some ideas, cheers!希望它能给你一些想法，干杯！

First, it is very possible for someone to decompile your mobile app and get the code for it, even if it's not exactly what you wrote.首先，有人很可能会反编译您的移动应用程序并获取它的代码，即使它不是您编写的内容。 There are no secrets in your APK or IPA.您的 APK 或 IPA 中没有秘密。

Your only chance at protecting files in Cloud Storage is using Firebase Authentication along with security rules defined for your storage bucket.您保护 Cloud Storage 中文件的唯一机会是使用 Firebase 身份验证以及为您的存储桶定义的安全规则。 If you're using some form of custom auth, you'll have to use Firebase Auth on top of that and generate a JWT for each user.如果您使用某种形式的自定义身份验证，则必须在此基础上使用 Firebase 身份验证并为每个用户生成一个 JWT 。

Thanks to the new feature called Firebase App Check , it is now actually possible to limit calls to a Firebase project to only those coming from iOS, Android and Web apps that are registered within that project.多亏了名为Firebase App Check的新功能，现在实际上可以将对 Firebase 项目的调用限制为仅来自在该项目中注册的 iOS、Android 和 Web 应用程序的调用。

You'll typically want to combine this with the user authentication based security rules, such as those shown in the Firebase documentation on common access control patterns .您通常希望将其与基于用户身份验证的安全规则相结合，例如有关常见访问控制模式的 Firebase 文档中显示的规则。