Firebaseui-android: Authenticated as a user after logging out and reinstalling

Created on 4 May 2017 · 10Comments · Source: firebase/FirebaseUI-Android

Android device: Moto E3
Android OS version: 6.0
Google Play Services version: 10.2.1
Firebase/Play Services SDK version: 10.2.1
FirebaseUI version: 1.2.0

The problem:

Steps to reproduce:

On logging in with facebook
logging out with the following (verifying it works and CompleteListener is called)

AuthUI.getInstance()
                .signOut(this)
                .addOnCompleteListener(task -> {
                    if (task.isSuccessful()) {
                        finish();
                    } else {
                        Toast.makeText(this, R.string.sign_out_failed, Toast.LENGTH_LONG).show();
                    }
                });

Uninstalling and reinstalling
On launch, the first thing I do is call FirebaseAuth.getInstance().getCurrentUser() which returns the user that I had logged out before reinstalling
Additionally: If I retry these steps, and instead of uninstall/reinstall in step 3, I just kill the app and relaunch, I'm getting null for FirebaseAuth.getInstance().getCurrentUser()

NOTE: I'm also allowing backup in my manifest with android:allowBackup="true"

It appears to not happen if I set android:allowBackup="false" although I haven't tested this extensively enough to be 100%.

Expected Results:

After logging out, having no other way to get the current user without first logging back in

Source

ahaverty

Most helpful comment

@ahaverty so I can't say I know what Facebook is storing locally on the phone, but I can tell you what Firebase is storing.

Firebase keeps an authentication token in your app's local storage. This identifies the user but does not give them access to actually do anything unless it's refreshed every hour. The Firebase SDKs that use this token (like realtime database) seamlessly handle this refresh for you which is why you don't have to think about it. If you attach an AuthStateListener in your app you'll see that you get a new event every hour as the token changes.

So there's no security risk of restoring this token, since auto backup is linked to the user's google account anyway. This would be different if we were storing, say, a Google Sign In access_token which could be taken out of context and used to impersonate the user.

samtstern on 5 May 2017

👍2

All 10 comments

Originally reported in a comment in #644

ahaverty on 4 May 2017

👍1

@ahaverty Noooooooooooooo! 😁 Please don't disable auto backup; this "bug" is a feature that's great UX. The idea is that if a user is changing devices or reinstalling your app for one reason or another, they can get right back to whatever they were doing instead of having to go through some long and annoying setup. Hope this swayed your opinion a little! 😁

SUPERCILEX on 4 May 2017

👍1

You're right, it's probably doing more harm disabling backups. My main reason for disabling was to make testing a fresh install easier during development (removing shared preferences & un-authenticating), but really I should keep backups enabled and look into starting fresh for debug builds only. Any suggestions there?

The main reason I'm wondering if this is a security bug:
If I logout of any online service, like a website via chrome on my Mac for example. Once I logout and end my authenticated session, I would expect that if I were to roll back my Mac to a backup from a week ago, that I wouldn't be automatically authenticated to that website again.

If it's the backup that's causing this issue, does that mean the backup is storing some form of my credentials or a "session" that should no longer be authenticated? 🤔

ahaverty on 4 May 2017

@ahaverty so I can't say I know what Facebook is storing locally on the phone, but I can tell you what Firebase is storing.

samtstern on 5 May 2017

👍2

@ahaverty I hope that's convincing to you, and @SUPERCILEX has provided some good justification as to why we don't tell developers to turn off auto backup. I am going to close this issue as "working as intended" but we can keep discussing if you're curious.

samtstern on 5 May 2017

Sounds good, thanks @SUPERCILEX and @samtstern 👍

ahaverty on 5 May 2017

@samtstern wow, that's really great info about Firebase Auth!!! 😁 Great explanation!

SUPERCILEX on 5 May 2017

Is this the same issue I am having or should I file a separate bug?
My app has been recovering firebase auth token after page refresh (even close tab and reopen),
however, IT DOES IT EVEN AFTER LOGGING OUT!
I call this.authService.logout() which seems to log it out, but it comes right back after page refresh!

polyglotinc on 9 Sep 2017

@polyglotinc you should bring this up here:
https://github.com/firebase/firebase-js-sdk

samtstern on 11 Sep 2017

sam its me again, this experience is not that great. if user has logged in with multiple accounts and then logs out and re-installs app it sometimes not using the last login. its using another login. im not sure if its because it needs time to back up but this is a security concern . dont you have a toggle you could make when opening firebase auth so we can decide if we want this feature or not. this is a security concern because user has uninstalled the app and expects all data is gone. i think we should have a setting in to decide if user should have this or not. what do you think ?