Quick Start Security for GCP Firebase
Coralogix Extension For GCP Firebase Includes:
Alerts - 24
Stay on top of GCP Firebase key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
GCP Firebase Project - Multiple SHA Certificates Were Listed
This alert gets triggered when SHA certificates are listed by a user. In mobile application development, SHA1 and SHA256 keys are used for security. They are like digital fingerprints that are unique to your app. These keys are used for various security purposes, such as: Signing your app: This helps verify that your app is authentic and has not been tampered with. Note: In this alert, the SHA certificate threshold is set to more than 5 in 10 minutes, feel free to adjust as per your reference. Impact Viewing the SHA certificate in Firebase allows developers to verify the unique fingerprint associated with their Android app. This verification is essential for ensuring that the app's configuration aligns with Firebase services, particularly for authentication methods like Google Sign-In. Viewing the certificate does not cause any changes or disruptions but provides a way to confirm that the correct SHA-1 or SHA-256 fingerprint is in place. Proper verification helps maintain a secure and seamless integration with Firebase features. Mitigation Analyze the logs to identify the application, type, and user who listed the SHA certificate key. If the listings pertain to critical applications, contact the user for justification and take the necessary actions. If it is part of a business activity, close the event. Otherwise, inform the user not to access the SHA certificate keys from authorized apps only. If necessary, downgrade or remove the user's access to prevent similar future events. MITRE Tactic: TA0043 MITRE Technique: T1593
GCP Firebase Project - SHA Certificate Was Deleted
This alert gets triggered when a user deletes a SHA certificate. In mobile application development, SHA1 and SHA256 keys are used for security. They are like digital fingerprints that are unique to your app. These keys are used for various security purposes, such as: Signing your app: This helps verify that your app is authentic and has not been tampered with. Impact Deleting the SHA certificate from Firebase can disrupt Google Sign-In and OAuth-based authentication methods, making them non-functional. It may also affect APIs and services that rely on this certificate for security validation, such as Firebase Dynamic Links and Firebase Cloud Messaging. Additionally, it could cause issues with app verification and integrity checks, leading to failures in critical app features. To restore functionality, you must re-add the correct SHA certificate. Mitigation Analyze the logs to identify the application, type, and user who deleted the SHA certificate key. If the changes pertain to a production or critical application, contact the user for justification and take the necessary actions. If it is part of a business activity, close the event. Otherwise, contact the user or engineering team to restore the deleted SHA key from the backup or historical logs. Ensure that the restored SHA key is valid and authorized for the configured application. To prevent such losses in the future, use a secret manager to securely store credentials and keys. MITRE Tactic: TA0005 MITRE Technique: T1578
GCP Firebase Project - SHA Certificate Was Created
This alert gets triggered when a SHA certificate was created by a user. In mobile application development, SHA1 and SHA256 keys are used for security. They are like digital fingerprints that are unique to your app. These keys are used for various security purposes, such as: Signing your app: This helps verify that your app is authentic and has not been tampered with. Impact Creating an SHA certificate in Firebase enables proper configuration and functionality for Google Sign-In and other OAuth-based authentication methods. Misconfigured or unverified certificates may impact application integrations with Firebase services like dynamic links, cloud messaging, authenticity of your app, and non-trusted operation of key features. Properly configuring the SHA certificate is essential for maintaining app integrity and user trust. Mitigation Analyze the logs to identify the application, type, and user who created the SHA certificate key. If the changes involve a production or critical application, contact the user for justification and take the necessary actions. If it is part of a business activity, close the event. Otherwise, validate the SHA certificate keys or remove them if they are not needed. Additionally, ensure that the provided SHA key is valid and authorized according to the configured application. MITRE Tactic: TA0003 MITRE Technique: T1098
GCP Firebase Project - Application Was Created
This alert gets triggered when an application was created by a user. This includes all types of applications like- android, web, iOS, flutter, etc. that are integrated with Firebase, a platform developed by Google for creating mobile and web applications. Firebase provides a suite of tools and services to help developers build high-quality apps, improve app quality, and grow their user base. Note: Kindly whitelist the sandbox/QA firebase accounts and type of application to trigger an alert only for critical accounts. Impact Misconfiguration may expose sensitive credentials and APIs, leading to security breaches and unauthorized access to user data. Operational disruptions can occur, affecting app functionality like authentication and database operations, potentially leading to user dissatisfaction and retention issues. Financially, such incidents can result in losses from remediation costs, regulatory fines, and damage to brand reputation. Proactive monitoring, regular audits, and stringent access controls are crucial to prevent and mitigate such risks in Firebase environments. Mitigation Identify the user and the type of application they created. If the name or label suggests it is a test, close the event. Otherwise, contact the user to obtain valid business requirements. If it is part of a business activity, close the case. If not, contact the user or the engineering team to either delete the application or move it to the Sandbox/QA environment for testing. MITRE Tactic: TA0003 MITRE Technique: T1098
GCP Firebase Project - Android App Was Undeleted
This alert gets triggered when an android app was undeleted. An android app in Firebase refers to an Android application that is integrated with Firebase, a platform developed by Google for creating mobile and web applications. Firebase provides a suite of tools and services to help developers build high-quality apps, improve app quality, and grow their user base. Impact If the undeleted app was previously removed by the organization due to suspicious behavior, it might continue to operate maliciously without the user's awareness. This could result in unauthorized collection of sensitive information or the execution of harmful actions, potentially leading to data breaches, identity theft, or other detrimental outcomes. Mitigation Analyze the logs and review the application behavior along with its historical events. If the app was removed due to malicious activity, contact the engineering team to identify the root cause and ensure that all connected services are disabled or deleted. To mitigate the risk of an adversary restoring a deleted Android app, follow best practices in mobile device security. This includes regularly updating and patching the operating system and installed applications, as well as using trusted antivirus software. MITRE Tactic: TA0005 MITRE Technique: T1578
GCP Firebase Project - Multiple Apps Updated
This alert gets triggered when multiple applications are updated by a user. Firebase refers to an application that is integrated with Firebase, a platform developed by Google for creating mobile and web applications. Firebase provides a suite of tools and services to help developers build high-quality apps, improve app quality, and grow their user base. Note: In this alert, the app count is set to more than 3 in 10 minutes, feel free to adjust as per your requirements. Impact Updating an app in Firebase can bring several improvements and changes. It ensures that the app utilizes the latest Firebase SDK features, security updates, and performance enhancements. This can improve app stability, introduce new functionalities, and enhance user experience. However, the update process needs careful management to prevent disruptions, as any misconfiguration or compatibility issues might lead to integration failures or degraded app performance. Proper testing and validation are crucial to ensure a smooth transition. Mitigation Examine the logs to identify any changes. If the changes seem critical, like modifications to tokens, alterations in application flow, or updates to authentication settings, contact the user for an explanation and business approval. Based on the user's response, close the events if they are part of an authorized business change request. If necessary, escalate the issue to the engineering team to revert the changes and restore the application to its original state, ensuring it functions as expected. Additionally, if needed, remove the user's access to prevent similar incidents in the future. MITRE Tactic: TA0042 MITRE Technique: T1583
GCP Firebase Project - No Logs From Firebase In the Last 24 Hours
This alert gets triggered when there are no logs from the Firebase in the last 24 hours. Firebase is a Backend-as-a-Service (Baas). It provides developers with various tools and services to help them develop quality apps, grow their user base, and earn profit. Note: Please select the relevant application and subsystems before enabling it. Impact Firebase provides detailed documentation and cross-platform app development SDKs, to help you build and ship apps for iOS, Android, the web, Flutter, Unity, and C++. However, a lapse in logging data over the past 24 hours can potentially disrupt DevOps operational oversight and impact timely responses to critical events. This absence of logs heightens the risk of overlooking suspicious connections or irregular deployments, leaving room for undetected incidents that could impact system integrity. Mitigation Please conduct a thorough examination of the logs and consult with the engineering team to verify any findings. If there is a lack of activity reflected in the logs, it is advisable to close the incident. However, if an issue is identified, take the necessary steps to rectify it promptly, ensuring that logging functionality is restored and data flows seamlessly to the designated destination. MITRE Tactic: TA0005 MITRE Technique: T1562
GCP Firebase Project - Mass User Accounts Destruction
This alert gets triggered when multiple user accounts are removed by a single user in a short period. Firebase currently offers three access levels: owner, viewer, and editor. Note: Multiple alert count is set to more than 5 in 10 minutes, feel free to edit as per your requirements. Impact Mass destruction or removing users may have a major impact on business operations as multiple users and related services, integrations, and alerts may stop flowing as expected. This could be a sign of privilege escalation, unauthorized access, intruder, defense evasion, or insider threats. Adversaries may interrupt the availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Mitigation Analyze the logs and identify the number of users removed and their access. Accordingly, contact the user and ask for the business justification with the approval ticket. If this appears to be a business activity, close the case, else escalate to the engineering team to get the account reverted with the assigned permissions and make sure the impacted service/accounts are back to work as expected. Further, actions can be taken care against the user who has performed this activity without any valid reason. MITRE Tactic: TA0040 MITRE Technique: T1531
Building Block - GCP - Firebase Project - Application Was Removed
This alert gets triggered when a user has deleted an application. Firebase supports a range of application types, including Android, iOS, Web, Flutter, and Unity. Note: This alert is configured to monitor only Android, iOS, and web applications. Please customize it by adding any additional apps based on your specific needs. Impact Deleting an application is an uncommon occurrence outside of testing or sandbox environments. If this event occurs with a production or internal application, it can have significant business impacts, including insider threats, business disruption, financial losses, account compromise or takeover, and operational interruptions. Mitigation Limit critical permissions to authorized users and require approval before deleting an app. Review the logs thoroughly, gather all pertinent details, and reach out to the user for confirmation. If the request is legitimate, resolve the case accordingly. If not, contact the engineering team to investigate and check for any stored backups. If available, restore the application and implement the necessary changes. MITRE Tactic: TA0040 MITRE Technique: T1496
Building Block - GCP - Firebase Project - Admin Privileges Invite Accepted By User
This alert gets triggered when the user accepts the admin privilege account request. The Firebase Admin SDK provides an API for managing your Firebase users with elevated privileges. Impact The admin user management API gives you the ability to programmatically retrieve, create, update, and delete users without requiring a user's existing credentials and without worrying about client-side rate limiting. Admin privileges grant complete access to the dedicated Firebase project and its associated applications. If unauthorized or unknown users acquire these permissions, it poses significant security risks, including account compromise, account takeover, privilege escalation, insider threats, and more. Mitigation Identify the user account recently added to the project. Reach out to the user who assigned these permissions and request justification along with the approval ticket for granting access. Once resolved, close the case accordingly. If no valid justification is provided, remove the user account immediately, ensure there are no unusual events associated with this user, and continue monitoring. MITRE Tactic: TA0001 MITRE Technique: T1199
Building Block - GCP - Firebase Project - External User Permissions Modified
This alert gets triggered when an external user has been added or modified within the project with a specific role. Firebase currently offers three access levels: owner, viewer, and editor. Note: Please include the whitelisting of corporate official domains in the query. Impact The user account might belong to a contractor or third-party service for the specific project. If this is the case, please whitelist the domain. Otherwise, this event suggests a significant security risk to Firebase, such as account compromise, privilege escalation, account takeover, insider threats, and more. Mitigation Identify the user account that has been added to the project. Reach out to the user who assigned the permissions and request justification and approval for granting these permissions. Once resolved, close the case and whitelist the domain if appropriate. Otherwise, promptly remove the user account, verify no unusual activity occurred, and continue monitoring the situation. MITRE Tactic: TA0001 MITRE Technique: T1199
GCP Firebase Project - Web Push Certificate Key Was Deleted By an External User
This alert gets triggered when a Firebase cloud messaging API key is deleted. Google's Firebase Cloud Messaging (FCM) is a cross-platform messaging solution that lets you reliably send messages at no cost. Using FCM, you can send push messages to your web applications. FCM supports web push messages on Chrome, Firefox, Microsoft Edge, and many other browsers. Note: Please whitelist the official corporate domains in the query, before deploying it in production. Impact It's essential to carefully monitor the deletion of these keys unless it's part of a testing procedure. Removing API keys will cease the delivery of push notifications from the affected application to end users, potentially affecting crucial business functions such as daily alerts, notifications, marketing campaigns, and more. Mitigation Assess the user, application type, and usage details. Reach out to the user to understand the business justification for adding an unknown account to the Firebase project. Validate any approval tickets associated with this action, and if there are any concerns, consider blocking the user account and revoking access. Conduct a thorough investigation to ensure that no unauthorized activities were performed by the user. If the action is deemed legitimate, resolve the alert and consider adding the user account to the whitelist for future access. MITRE Tactic: TA0040 MITRE Technique: T1489
GCP Firebase Project - Web Push Certificate Key Was Created by an External User
This alert gets triggered When an external user generates a new web push API key and it is not associated with your corporate domain. Google's Firebase Cloud Messaging (FCM) is a cross-platform messaging solution that lets you reliably send messages at no cost. Using FCM, you can send push messages to your web applications. FCM supports web push messages on Chrome, Firefox, Microsoft Edge, and many other browsers. Note: Please whitelist the official corporate domains in the query, before deploying it in production. Impact Firebase Cloud Messaging utilizes Application Identity key pairs to establish connections with external push services. It's crucial to carefully review the creation and usage of API keys to ensure they are securely stored. Otherwise, unauthorized individuals could exploit these keys to send abnormal notifications to your clients, raising significant concerns including privacy issues, the dissemination of harmful content, phishing attempts, malware distribution via notifications, and unauthorized requests for confidential personal information and offers. Mitigation Please verify the application type, usage, and creator. If it seems related to the Dev/QA environment, you can close it. Otherwise, notify the user to confirm the activity. Identify the user's account permissions and ensure that the API key is securely stored in the password manager with restricted access. If anything seems suspicious or if the key is compromised, promptly delete the key, generate a new pair, and update it. Additionally, consider whitelisting the user account to prevent future unauthorized access. MITRE Tactic: TA0002 MITRE Technique: T1204
GCP Firebase Build - Authentication Configuration Was Updated
This alert gets triggered when authentication settings are modified by the user. Firebase supports authentication using passwords, phone numbers, SMTP, and popular federated identity providers like Google, Facebook, and Twitter. Impact Unusual changes in authentication settings can affect your application's configuration and its security checks. Modifying authentication methods, altering domains, changing SMTP configurations, disabling sign-in methods, and other adjustments can directly impact your application's security. Even minor misconfigurations can affect your client's experience, disrupt business operations, or create a backdoor for unauthorized access to your application and its data. Mitigation Analyze the logs to understand the changes made by the user by examining the protoPayload.request.updateMask and response fields. If the changes pertain to any configurations, contact the user for validation and business approval. If the changes were part of a business update, close the event. Otherwise, revert the changes to their original state, ensuring there is no impact on user experience and that the app remains secure from unauthorized access. If necessary, restrict such editing permissions to leads and senior members only. MITRE Tactic: TA0040 MITRE Technique: T1496
GCP Firebase Build - Storage Bucket Was Removed
This alert gets triggered when a storage firebase bucket was removed/deleted by the user. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data, but unlike directories and folders, you cannot nest buckets. Impact Identify the production and critical storage buckets affected and determine the user responsible for the action. Contact the user to understand the rationale and proceed accordingly. If the action was part of a test, close the incident. Otherwise, involve the engineering team to restore the bucket data from backups or revert to a previous version if feasible. Implement real-time backup for storage buckets and reinforce security controls to prevent similar incidents in the future. Mitigation Identify the production and critical storage buckets affected and determine the user responsible for the action. Contact the user to understand the rationale and proceed accordingly. If the action was part of a test, close the incident. Otherwise, involve the engineering team to restore the bucket data from backups or revert to a previous version if feasible. Implement real-time backup for storage buckets and reinforce security controls to prevent similar incidents in the future. MITRE Tactic: TA0040 MITRE Technique: T1485
GCP Firebase Build - Realtime DB Backup Configuration Was Modified
This alert gets triggered when a Realtime backup configuration was modified by the user. The Firebase Realtime Database is a cloud-hosted NoSQL database that lets you store and sync data between your users in real-time. Impact Changes in Firebase Realtime Database backup configuration can have several impacts. Adjusting the frequency or scope of backups affects data recovery capabilities; less frequent backups might lead to data loss in the event of a failure, while more frequent backups could increase costs and storage usage. Altering backup locations or retention periods can also impact compliance with data protection regulations and organizational policies. Mitigation Limit critical events to business leads with an additional layer of approval process. Review user-initiated changes, particularly those affecting destination paths, backup frequency, types, exceptions, etc. For critical changes, obtain valid business approval from the user or designated approver. If the changes weren't approved, involve the engineering team to roll back changes and ensure backups adhere to business policies. Properly managing backup configurations is crucial for maintaining data integrity, security, and availability aligned with your application's requirements. MITRE Tactic: TA0040 MITRE Technique: T1565
GCP Firebase Build - Realtime DB Instance Was Disabled
This alert gets triggered when a Realtime database instance is deleted by a user. The Firebase Realtime Database is a cloud-hosted NoSQL database that lets you store and sync data between your users in real-time. Impact Deleting a Firebase Realtime Database instance permanently removes all stored data and associated configurations, leading to irreversible data loss. Applications relying on this instance will experience disruptions, including the inability to read or write data. This action can break app functionality, leading to errors and potentially a poor user experience until the instance is restored or a new database is configured. Mitigation Review the logs to identify the database type, usage patterns, and the user involved. If the database is critical or used in a confidential/production environment, verify with the user. If it's part of routine business operations, resolve the issue and close the incident. Otherwise, engage the engineering team to restore the database using the latest synced backups. If necessary, create a new database with identical configurations and attempt to recover as many historical records as possible. MITRE Tactic: TA0040 MITRE Technique: T1485
GCP Firebase Build - Filestore Index Was Deleted
This alert gets triggered when an index was deleted by a user. A single-field index stores a sorted mapping of all the documents in a collection that contain a specific field. Each entry in a single-field index records a document's value for a specific field and the location of the document in the database. Impact Removing an index in Firebase GCP can have substantial repercussions for your application. This action may result in queries that previously relied on the index failing or becoming less efficient, which can lead to longer read times and increased operational costs. Furthermore, features that depend on these queries may suffer from performance degradation or errors until the index is reinstated or alternative indexing strategies are adopted. Mitigation Review the logs to identify the type of index and the user involved. If any deletions seem suspicious or unusual, verify with the user. If it's part of a legitimate business activity, close the incident. Otherwise, engage the engineering team to restore the index configurations or create a new index with the previous settings. MITRE Tactic: TA0040 MITRE Technique: T1489
GCP Firebase Build - Filestore Database Was Deleted
This alert gets triggered when the user deletes a filestore database. Filestore enables immediate access to data for high-performance, smart analytics without the need to lose valuable time on loading and off-loading data to clients' drives. Impact Filestore is crucial for Firebase data storage and integration with your application. Deleting a production or critical database could significantly impact business operations due to data unavailability. This includes effects such as inaccessible data for users, blank records in the user interface, compromised data analytics, diminished customer trust, and potential revenue loss. Such actions could be initiated by insider threats or adversaries aiming to disrupt your business services, possibly from competitor organizations. Mitigation Identify the production and critical databases affected and the user responsible for deleting records. Contact the user for justification and proceed accordingly. If it was part of a test or a database replica, close the incident. Otherwise, engage the engineering team to restore the database from backups or previous versions if feasible. Implement measures to prevent future incidents, such as enabling real-time database backups and reinforcing security controls to safeguard against unauthorized deletions. MITRE Tactic: TA0040 MITRE Technique: T1485
GCP Firebase Build - Installed Extension Was Deleted
This alert gets triggered when a present extension was deleted by a user. Firebase Extension is code that performs a task whenever a specifically defined event occurs in your app or project. Extensions are designed to increase productivity, Firebase Extensions provide extended functionality to your apps without the need to research, write, or debug code on your own. Impact An extension is crucial for coding, scanning code for vulnerabilities and bugs in real time, and parsing secrets. Deleting such critical extensions could significantly impact the overall application experience and its integrity. Developers may lose the ability to securely store credentials, detect bugs or misconfigurations, bypass security checks, and potentially face other security threats depending on the capabilities of the extension. Mitigation Identify the type of application and the connected extension that was deleted by the user. If this is a critical extension essential for application development and security, contact the user for verification and proceed accordingly. If necessary, reinstall the extension and ensure it is properly connected to the affected application to resume expected services. MITRE Tactic: TA0040 MITRE Technique: T1489
GCP Firebase Build - New Extension Was Installed
This alert gets triggered when a new extension was installed using the AdMob service. Firebase Extension is code that performs a task whenever a specifically defined event occurs in your app or project. Extensions are designed to increase productivity, Firebase Extensions provide extended functionality to your apps without the need to research, write, or debug code on your own. Impact Installing insecure extensions from unknown developers or third parties poses a significant risk to your enterprise application and its security. In the cyber realm, integrating third-party apps or extensions has often led to data breaches, unauthorized access, compromised data privacy, insecure code, and leaks. Depending on the permissions granted to extensions, the potential impact of an attack can be extensive and far-reaching. Mitigation Ensure to establish a trusted list of extensions, developers, and third-party companies, and download only from reliable sources. Analyze the logs to identify the types of extensions downloaded by users, investigate their usage and permissions, and communicate all relevant details to the user for justification. If necessary, have IT engineering test the extensions and add them to the trusted list. Otherwise, remove the extensions and suggest alternative trusted options for the same purpose. MITRE Tactic: TA0003 MITRE Technique: T1020
GCP Firebase Build - App Hosting Service Account Was Created
This alert gets triggered when a services account was created for hosting the application. Firebase uses service accounts to operate and manage services without sharing user credentials. Impact The app hosting service account integrates directly with the GitHub account and repositories. It is crucial to review the creation of the service account, the GitHub connection, and the selection of the correct repository to safeguard business code and its internal tokens, keys, and credentials. Misconfigurations could expose your code to risks such as data exfiltration and unauthorized access. Mitigation Analyze the logs to identify the service account and its relevant configurations. If this was part of a test, you can close the event. Otherwise, contact the user to validate the service account, GitHub account, repository selection, etc. If all configurations adhere to best practices, close the case; if not, modify the settings according to your internal security best practices. MITRE Tactic: TA0042 MITRE Technique: T1585
GCP Firebase Build - App Check Config Was Updated
This alert gets triggered when an application check configuration was updated/modified by a user. App Check is an additional layer of security that helps protect access to your services by attesting that incoming traffic is coming from your app, and blocking traffic that doesn't have valid credentials. It helps protect your backend from abuse, such as billing fraud, phishing, app impersonation, and data poisoning. Impact App Check settings manage your app's security, preventing various attacks such as phishing, fraud, and impersonation. Configuration changes to these settings must be validated to maintain the application's authenticity and integrity. Unauthorized changes could expose the application to multiple attack vectors, compromising business security and damaging its reputation. Mitigation Identify the type of changes and the user who made them. If unusual or critical changes are detected, contact the user for validation and take appropriate action. If the changes are part of a business activity, close the event. Otherwise, revert the changes and have the concerned team verify that the application is configured according to business requirements. MITRE Tactic: TA0002 MITRE Technique: T1204
GCP Firebase Build - Debug Token Was Deleted
This alert gets triggered when a debug token was deleted by the user. Debug tokens allow development and testing environments to pass App Check verification. Use these tokens while developing on local simulated environments, or running tests in a continuous integration (CI) testing environment. Note: If required, set the threshold for multiple deletions per your requirements. Impact Deleting a debug token will affect application verification, potentially compromising application security. An adversary could exploit this to inject malicious code, endangering end users. Unauthorized changes or tokens might allow adversaries to perform remote execution, command and control operations, privilege escalation, and unauthorized access to services. Mitigation "Review the logs, the type of application, and the affected token. If the application is critical or in production, contact the user for verification. If it is part of a business activity, close the case. If not, ensure the developer creates a new debug token with proper validation. Additionally, confirm the token is correctly configured with the application and functioning as expected. MITRE Tactic: TA0040 MITRE Technique: T1489
Integration
Learn more about Coralogix's out-of-the-box integration with GCP Firebase in our documentation.