Ionic+Firebase - Business Logic Manipulation and Prevention

Hi, I’m new to Ionic and I have not found an answear to my question, so I hope someone can help me.

If I use Ionic+Firebase, then I have to code the business logic at the clientside (Angular) and I’ve read that one can decompile the .apk file and can see the code. So my question is:
Is it possible to decompile the .apk file, change the business logic (Angular code), compile again and run the app with manipulated business logic?

If it is possible, then the security rules of Firebase can’t help me all the time, e.g.:
Assumtion: If I have a node in the FIrebase-DB “writeNode1” and every authenticated user can add new data to the node (security rule). The business rule is: if and only if a user clicks on button “kk” then write some data to the “writeNode1”.
Problem: If someone can manipulate the business logic then he can “flood” the “writeNode1” with thrashdata. Is something like this possible? How can I prevent something like this?

Thanks :slight_smile:

I don’t know what you mean by business logic. But as with all app programming, rules on the client side are for user experience, while rules on the server side are for security.

Thanks for reply. What I mean are the two situations (business rules on clientside and serverside):
Business Rules on Clientside:
-the backend of the app is just Firebase
-the firebase-db has a node “writeAllowedToAuthenticatedUsers” with the security rule “every authenticated user can write to the node”
-the business rule is: if and only if a user click on the button “ClickMe” in the app then write to the node “writeAllowedToAuthenticatedUsers” the text “The user <user_id> clicked the button”
-implementation: I need to write a function in angular something like:
if(user.clicked) {
writeToDB(“The user” + user.getUserId + “clicked the button”)
-Problem: if someone can change the code, recompile and run the app with modified code e.g. :
if(user.clicked) {
writeToDB(“Hacked” + user.getPW + “clicked the button”)
–> the business rule is broken because this string “The user <user_id> clicked the button” was expected but in the DB the string “Hacked clicked the button” will be saved.

Business Rules on Serverside:
-backend is my server and the business rules are written on the server
-in angular (clientside) I have to write:
if(user.clicked) {
–> in this case the business rule is save against manipulation because the string “The user <user_id> clicked the button” can’t be manipulated on the clientside (only the backendserver have access to the db).

My question is: Are manipulations on the clientside like this possible?

What is the difference between a rule and a business rule? Firebase is defined with security rules, for example. I don’t remember “business rule” appearing anywhere in the API. I am having hard time understanding you.

business rule is a usecase, above it is: if a user click on the button “ClickMe” then write the text “The user <user_id> clicked the button” to the db. If manipulations of the angular code are possible, then every business rule can be modified and this can lead to undefined states of the system or the DB.

You can validate the string.

Yes I know but it is not a general solution against business logic manipulation, what about this situation:
-the user can be in one of the two states {freeuser, premiumuser}
-if the user pay money then he will be in the state “premiumuser”, angular code would be like (just pseudocode):
if(user.payedMoneySuccessfull) {
-a bad user can decompile the code, he can remove the if statement and let the “firebase.changeStateToPremium(user)” line.
–> if he can compile the code again and run the app, he will get the premiumstate without paying money.
-I think the security rules of firebase cant’t deal with something like this. Solution would be:only an external Server is allowed to change the state of a user.
I just want to know if clientside angular-code-manipulations like this are possible. If so, then I need an additional backendserver for validation.

You keep a list of premium users that can only be changed by cloud functions when a subscription begins or expires. In your validation string you check that the user id is in the premium user list.

1 Like

This is also a great solution. Thanks :slight_smile:

I’m just curious if angular-code-manipulations (decompile, change code, recompile, run manipulated app) are possible and the manipulated app still works and can interact with firebase.

Yes. That’s why the security logic needs to be done with Firebase.

1 Like