Hacker Newsnew | comments | ask | jobs | submitlogin
saurik 519 days ago | link | parent

Ok, when I was last talking to them[1], they did not have anything at all for security but a vague idea that it was important and a possible "would something like this work?" that was more about securing the API than the data ;P. Their FAQ still states they are working on it, but maybe they have something more in-depth now for the beta users (such as yourselves)?

[1] https://twitter.com/Firebase/status/190954896764305408

The pretty sane and "simple" (easy to implement on the server, but difficult for developers to use correctly) way of doing it is something like StackMob or Parse's ACL feature (but even that tends to be misused, and as soon as data can be shared between users is almost impossible to get right without using custom server-side logic, which these kinds of companies are now supporting).

(FTR, I try to hit on these things pretty hard, as I'm highly concerned that these online middleware companies are short-changing the importance of security in the cloud, if not often in their implementations then almost always in their documentation and tutorials. I gave a talk at 360|iDev this year discussing solutions like StackMob and Parse, doing live demos of ripping keys out of apps and dumping their databases.)

(One of the apps I ran into--which I did not demo dumping data from during that talk ;P, although I did show a totally anonymized snippet of the kind of data it was storing--was an online dating matchup app that was storing all of its offline Facebook full-access auth tokens trivially accessible in StackMob, along with all of the "private" messages sent between the users... all of this despite the app supporting nicknames for "anonymity" and listing "security" as one of its defining features :(.)

(Firebase, to their extreme credit, is very honest about the fact that your data is all public: it is the very first question in their FAQ, and they state the situation 100% clearly and entirely outright. "However, it’s not ready for widespread use yet, so right now all data in Firebase is publicly accessible. Please keep this in mind when building apps!" <- emphasis is thankfully theirs, not mine ;P)



jamest 519 days ago | link

(Firebase Founder here)

Saurik - We're glad that there are people like you searching for holes in services like Firebase. Hopefully it'll keep making all of us better. Please keep doing it.

As ivolo noted, we do have a security feature set we're testing. It has taken a little while to build something that is both functional and usable. We're pretty confident we've got something that our users will love.

Excited to show you soon!

-----




Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library

Search: