Ad

Best Practice For Storing Firestore Data Model

When using Firestore and Android, if we want to store the data model in one place, we can store it:

In XML:

<string name="collection_users">users</string>
<string name="user_first_name">first</string>
<string name="user_last_name">last</string>
<string name="user_year_birth">born</string>

Or directly in Java:

public static final String COLLECTION_USERS = "users";
public static final String FIELD_FIRST_NAME = "first";
public static final String FIELD_LAST_NAME = "last";
public static final String FIELD_YEAR_BIRTH = "born";

However, in both cases, we expose the entire data model of the DB in the client code, making the job of attackers easier in case they get somehow their hands on the source code of the app. Is there any good practice or suggested approach to minimize the exposure of the structure of the DB in the client code, when using a No-SQL DB such as Firestore?

Ad

Answer

Is there any good practice or suggested approach to minimize the exposure of the structure of the DB when using a No-SQL DB such as Firestore?

Sure it is, use Firestore security rules, so you can secure your database according to your needs. For that, I recommend you read the official documentation regarding getting started with Cloud Firestore Security Rules.

Security rules provide access control and data validation in a simple yet expressive format. To build user-based and role-based access systems that keep your users' data safe, you need to use Firebase Authentication with Cloud Firestore Security Rules.

Since exposing the database structure cannot be prevented, the name of the collections/documents should explicitly exist in your code so you can use them in your references. But this won't be a problem as long as you secure your database correctly. You can move some logic (when possible) server side, will be a good option.

You can also try to store those names in a local database if you want and encrypt them, but in my opinion there is no benefit in doing this. It's up to you to choose if you need some kind of encryption or not.

Ad
source: stackoverflow.com
Ad