Is it necessary to encrypt chat messages before storing it into firebase?

firebase encryption firebase-realtime-database firebase-security
13,685

Solution 1

You seem to have a good grasp of how Firebase Database works: the data is encrypted in transit, and it is stored on encrypted disks on the servers. If you enable local persistence on the device, the on device data is not encrypted.

But administrators of the app can see the data in the Firebase console. If it is a requirement of your app that administrators can't read this data, then you'll need to encrypt it on the client before sending it to Firebase. A while ago a developer explained their end-to-end encrypted chat on the firebase-talk mailing list.

Solution 2

Hey Jeff: you're right that when you write some data into Firebase/Firestore, the data:

  1. Is protected over the wire using HTTPS.
  2. Then, when it lands on the Firebase REST frontend server, HTTPS terminates and the server has access to the full payload
  3. Then the REST server routes the data to the backend/database, which also has access to the data.
  4. When the data is written into disk, it's encrypted at-rest, but the at-rest encryption keys are also available to Google and your administrators will also see the Firestore contents

Encrypting data client side (End-to-End Encryption) prohibits all these participants/roles seeing your data.

Encrypting data on client side is fairly simple (compatibility across mobile platforms and browsers is tricky). The other tricky part is the key management to enable one user access to the decryption key without the other user sending the key over in an unsecure channel.

The way you can implement this is:

  1. Create private & public keys for your users when you sign them up
  2. Encrypt data on user1's device with user2's public key
  3. Write the encrypted data into Firestore
  4. When user2 reads up the encrypted data, her private key will be able to decrypt it.

Check out this Firebase E2EE chat sample on GitHub for iOS: https://github.com/VirgilSecurity/demo-firebase-ios and Android: https://github.com/VirgilSecurity/demo-firebase-android

HTH, David

Share:
13,685
JeffMinsungKim
Author by

JeffMinsungKim

Recently, actively into Stack Overflow.

Updated on June 07, 2022

Comments

  • JeffMinsungKim
    JeffMinsungKim about 2 years

    As far as I know, Firebase sends data over an HTTPS connection, so that the data is already being encrypted. Although Firebase provides security rules to protect my data structure, I can still be able to see the string messages in the database.

    I'm just curious whether it is a good idea to encrypt messages before pushing the data to Firebase or not. Should I just move on from this topic to something else?

    Thank you.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is it secure to call firestore from flutter mobile apps?
Firebase understanding snapshot.child()
Getting 'User does not have Permission to access this object. Code: -13021 HttpResult: 403' error. Please see details
Why does this Firebase ".indexOn" not work?
Adding and ".indexOn": ".value" into Firebase Rules
Firebase login failed
Making firebase storage public for reading and writing on android
How to encrypt user data in Firebase
Firebase Permission Denied
How to only allow one admin user to write Firebase Database?