OMG!!! Firebase work similar to yours Oauth 2-based and he has internal access rules configurable via dasboard. But i haven’t a back end server and i wouldn’t set up one only for upload images…
I try to unpack an ipa from an app made with ionic unzip it, show the content package and inside you have the www folder with inside ALL of your code!!! 
OMG again!!!
@mhartington suggestions or best pratice for managing security on cordova apps??? the olny solutions is having a remote backend server?