React Native: Security Of REST API with Firebase

Abdullah Liaqat
Jun 6, 2020 · 4 min read

The vulnerability of using Rest API in mobile applications

When the websites in the browser make a call to REST API, the server can identify and respond to the unauthorized calls very easily. There is a security mechanism developed in the HTTP called CORS (Cross-Origin Resource Sharing) policy which is responsible for the identification of any unauthorized access to the resources living in the backend server. This security feature makes sure that the request is coming from a trusted origin only. In other words, any website A cannot have access to the REST API of website B. And it totally makes sense when you have designed your backend to not be available as public API.

// Make requests to Rest API using axios
import axios from 'axios';
export default class App extends React.Component{ componentDidMount(){
axios.get('http://example.com')
.then(res => {
// handle response from request here
})
.catch(err => {
// catch any error here
})
}
render(){
return(
// React Native Component
)
}
}

Possible Solutions With Some Limitations

One common approach that can come to our minds is to include an app secret in the application which can ultimately become the part of the header of every API request to the server. It makes sense to follow this approach when the hacker is not very smart. Unfortunately, it is not the case most of the time. A potential hacker can reverse engineer the mechanism of generating such app secrets or even extract it from the source code of the application. It is not a very easy job to mint such app secrets, but it is not impossible either. In other words, anything that is available to the hacker in the form of a system executable file (.apk for android and .ipa for ios) is vulnerable. So, this approach can work sometimes but it is not the best one.

Solution To Our Problem Using Firebase Auth

Let me explain this approach first. We need to take advantage of the authentication flow Firebase Auth. When we create a project on Firebase and add our app to the project, it requires some unique keys related to the application. For example: In the case of an android application, it requires the Android Package Name and SHA-1 hash of the signing certificate of application.

firebase.auth().currentUser.getIdToken(/* forceRefresh */ true).then(function(idToken) {
// Send token to your backend via HTTPS
// ...
}).catch(function(error) {
// Handle error
});
// idToken comes from the client app
admin.auth().verifyIdToken(idToken)
.then(function(decodedToken) {
let uid = decodedToken.uid;
// ...
}).catch(function(error) {
// Handle error
});

Conclusion

In conclusion, mobile applications can be made secure if potential vulnerabilities are taken into account properly. And it is very important to structure the application security layer in the development phase because it will become costly if the security layer is added to a running production application. The advantage of using a service like Firebase is that there is no need to set up and maintain Auth servers for your application.

The Startup

Get smarter at building your thing. Join The Startup’s +788K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Abdullah Liaqat

Written by

Software Engineer

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +788K followers.

Abdullah Liaqat

Written by

Software Engineer

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +788K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store