[英]Firebase decompiled Google-services.json to fill quata
I am using firebase project where I sign users as anonymous on Auth part.我正在使用 firebase 项目,我在 Auth 部分将用户标记为匿名。 My issue is I'm on blaze plan and I wonder, can't people just decompile my app take my Google-services.json file and make an app out of it to basically spam my firebase backend and bill me a lot of money?我的问题是我正在制定 blaze 计划,我想知道,难道人们不能反编译我的应用程序获取我的 Google-services.json 文件并从中制作一个应用程序来基本上向我的 firebase 后端发送垃圾邮件并向我收取很多钱吗? I've read that there is sha1 restrictions on Google developers api to ensure only apps with certain Sha1 signature can access Google api's but I can not understand if this can solve my issue?我读到 Google 开发人员 api 有 sha1 限制,以确保只有具有特定 Sha1 签名的应用程序才能访问 Google api,但我不明白这是否可以解决我的问题? Can't people just copy my Sha1, isn't it publicly available inside the apk file?人们不能复制我的 Sha1,它不是在 apk 文件中公开可用吗? How may I ensure that people can't just decompile my app and spam my firebase backend so I won't be billed 1 million dollars by Google?我如何确保人们不能反编译我的应用程序并向我的 firebase 后端发送垃圾邮件,这样 Google 就不会向我收取 100 万美元的费用?
can't people just decompile my app take my Google-services.json file?人们不能反编译我的应用程序获取我的 Google-services.json 文件吗?
Essentially, yes, they can.本质上,是的,他们可以。
and make an app out of it to basically spam my firebase backend and bill me a lot of money?并用它制作一个应用程序来基本上向我的 firebase 后端发送垃圾邮件并向我收取很多钱?
Not if you implement Firebase Authentication and security rules correctly.如果您正确实施 Firebase 身份验证和安全规则,则不会。 Anonymous auth and email/password auth still allow anyone to create an account, so you will want to gate what someone can do with either of these types of accounts.匿名身份验证和电子邮件/密码身份验证仍然允许任何人创建帐户,因此您需要控制某人可以使用这两种类型的帐户中的任何一种进行的操作。 With email address validation, you at least have some measure of protection against automated attacks.通过 email 地址验证,您至少可以采取一些措施来防止自动攻击。
I suggest reading: Is it safe to expose Firebase apiKey to the public?我建议阅读: Is it safe to expose Firebase apiKey to public?
I strongly suggest not just using anonymous auth as your security mechanism.我强烈建议不要只使用匿名身份验证作为您的安全机制。 You should also place limits on why anonymous users can actually do.您还应该限制匿名用户实际可以这样做的原因。 You should also encourage your users to upgrade their anonymous accounts to full accounts in order to get full access.您还应该鼓励您的用户将他们的匿名帐户升级为完整帐户以获得完全访问权限。
Can't people just copy my Sha1?人们不能复制我的 Sha1 吗?
No, that's a cryptographic hash based on your private signing key.不,那是基于您的私人签名密钥的加密 hash。 If you keep that private key safe, then no one can sign their APK to mimic your registered SHA-1.如果您妥善保管该私钥,则没有人可以签署他们的 APK 来模仿您注册的 SHA-1。
How may I ensure that people can't just decompile my app and spam my firebase backend so I won't be billed 1 million dollars by Google?我如何确保人们不能反编译我的应用程序并向我的 firebase 后端发送垃圾邮件,这样 Google 就不会向我收取 100 万美元的费用?
Same answer as your first question - implement Firebase Auth and security rules correctly.与第一个问题的答案相同 - 正确实施 Firebase 身份验证和安全规则。 If, for whatever reason, security rules aren't powerful enough for what you want to protect, implement your own custom backend API endpoints to provide access to data in a way that you find secure.如果出于某种原因,安全规则对于您想要保护的内容而言不够强大,请实施您自己的自定义后端 API 端点,以您认为安全的方式提供对数据的访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.