Hey,
I am deving an android app, and i am planning to release it to Google Store when ready.
In this app players have balances, i am using Firebase Realtime Database as my database at the moment, which has been serving me well.
I am just wondering that how easily can this kind of code be exploited? Lets see an example:
Here is a really simple write to a user’s balance section in Firebase database:
How bad is this code in terms of security? Can someone “dig in” to this .apk app and simply edit that to a value of their own? I know i could do this balance add in the back end, but still there has to be SOME value sent from the users client, even if it was a simple ON/OFF boolean, and the back end would handle the rest…
If your client is doing naked communication directly with the database, and has rights to alter it, then a maliciously minded person can connect directly to the database and wipe it clean, alter any values and extract any data. Without your application running.
It is incredibly insecure, normally your client should be talking to backend through some sort of REST api and backend should be deciding what is and isn’t allowed.
If you want security you need to validate the values coming in. For example if you know that a level has a maximum achievable high score but someone tries to set it higher you know that’s an invalid high score and to refuse it.