Skip to main content

🛡ī¸ Security

1. Securing Firebase Authentication​

  • Enable Multi-Factor Authentication (MFA): Add an extra layer of security by requiring a second factor (e.g., SMS or authenticator app).

  • Enforce Strong Passwords: Ensure users set strong passwords in Firebase Authentication settings.

  • Role-Based Access Control (RBAC): Use Firestore rules to limit data access based on user roles.

    Example Firestore Rules:

    rules_version = '2'; 
    service cloud.firestore {
    match /databases/{database}/documents {
       match /users/{userId} {
          allow read, update: if request.auth != null && request.auth.uid == userId;
          allow create: if request.auth != null && request.resource.data.keys().hasOnly(['trialCount']);
          allow write, delete: if false;
       }
    }
    }

2. Securing Stripe Integration​

  • Store API Keys Securely: Use Flutter Secure Storage for your Stripe API keys and tokens.
  • Server-Side Purchase Verification: Always verify payments server-side to prevent fraud.
  • Move Sensitive API Calls to Firebase Cloud Functions: Handle sensitive API calls (e.g., payment processing) on the backend to protect API keys from exposure.

3. Mobile Security Best Practices (Android & iOS)​

  • Obfuscate Code: Use ProGuard (Android) and Swift obfuscation (iOS) to protect your source code.
  • Secure API Calls: Ensure all API calls use HTTPS and validate SSL certificates to prevent man-in-the-middle attacks.
  • Store Sensitive Data Securely: Use Keychain (iOS) or EncryptedSharedPreferences/Android Keystore (Android) for storing sensitive data.

4. Handling User Data Securely​

  • Minimize Data Collection: Only collect essential data and comply with regulations like GDPR.
  • Use Secure Communication: Ensure all data transfers are encrypted with HTTPS.

5. Testing Security​

  • Use Firebase Emulator: Test Firebase Authentication and Firestore locally before going live.
  • Perform Vulnerability Scans: Use tools like OWASP ZAP or Burp Suite to scan your app for vulnerabilities.
  • Test Permissions on Real Devices: Always test your app on real devices to ensure data security settings are enforced correctly.