How to secure my Firebase API key?

I want to secure my firebase database for my mobile app and recently I've found that data.js contains API key for the FirebaseAPIV.3 (rex's plugin).

My questions here are :

1. Is it normal (or safe) for my app to contain Firebase API key data?

2. Is it possible for someone to alter my app and sabotage my database using their altered version of my app? (considered that I haven't done any server side security)

3. Do I have anything else for the security matters to be concerned of?

If you give your master API key to all of your users, they will have the same permissions with your database as you do.

1. Yes, but you should generate more keys for each of your users (or at least for each user group, like Player)

2. Yes. (Assuming the API key is used as a session ID)

3. Authorization will allow you to give each user group fine-grained control over what they .read or .write to.

We're going to assume that Google takes care of the deeper security aspects.

Although, this fellow seems to disagree: https://stackoverflow.com/questions/374 ... the-public

I would still make a separate API key for your users though, just to be safe.

I think it might be better to get rexrainbow to encrypt the key in the plug, or at least allow users to set what the key is at runtime which we can in turn encrypt/ decrypt ourselves via some other plug.

But you need to make a post in his thread about the plug, otherwise he may not see this.

It's not like he's not super busy with other stuff.

I think it might be better to get rexrainbow to encrypt the key in the plug, or at least allow users to set what the key is at runtime which we can in turn encrypt/ decrypt ourselves via some other plug.

But you need to make a post in his thread about the plug, otherwise he may not see this.

It's not like he's not super busy with other stuff.

Finally reply is working.

Thanks but using gumshoe method is doing just fine for me.

The only thing that bothering me now is rex authentication plugin doesn't work on mobile webview. I still haven't found the solution yet but I my assumption is it has something to do with in app deeplinks (or universal links). I'm still solving the problem.

I think it might be better to get rexrainbow to encrypt the key in the plug, or at least allow users to set what the key is at runtime which we can in turn encrypt/ decrypt ourselves via some other plug.

But you need to make a post in his thread about the plug, otherwise he may not see this.

It's not like he's not super busy with other stuff.

You can't really encrypt anything in the browser, because people can simply take your key and encryption algorithm and decrypt the key in the source. Javascript is never secure.

Beyond the exception of the would be hacker figuring out the encryption type, which would indeed be exceptional, you can also obfuscate strings by simply splitting it up, and make them guess the true order. Ascertaining that from the runtime would also be horribly complicated, even without minification.