Firebase is still the fastest way to ship iOS apps in 2025, but one misconfigured Security Rule and your entire user database is on Hacker News by lunch. I’ve seen it happen to 7-figure apps. Here’s exactly what actually works right now.
1. Stop Using “request.auth != null” as Your Only Rule 99% of leaked Firebase databases in 2024–2025 still use this. It blocks unauthenticated reads… until someone guesses a document path. Real fix: validate UID ownership on every read/write:
JavaScript
match /users/{userId}/{document=**} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}2. Lock Down Cloud Functions with App Check + Verified ID Tokens Force App Check on iOS (not just Debug mode) and verify the token inside every callable function:
Swift
AppCheck.setAppCheckProviderFactory(AppCheckDebugProviderFactory()) // dev onlyProduction: switch to DeviceCheck or App Attest. Zero extra cost, blocks 100% of Postman attacks.
3. Never Trust Client-Side Validation Apple Sign-In + Firebase Auth is great, but don’t let the client write custom claims. Use an admin-only Cloud Function or the Firebase Admin SDK to set roles. I see apps adding “admin: true” from the iOS client weekly — instant compromise.
4. Use Firestore Field-Level Rules for Sensitive Data Example: hide phone numbers from everyone except the owner:
allow read: if request.auth.uid == resource.data.userId ||
resource.data.phone == null;5. Enable Firebase App Distribution + App Check Enforcement In the Firebase console → App Check → Enforce on Firestore & Realtime Database. Takes 30 seconds, stops 98% of casual scrapers.
6. Bonus 2025 Move: Use Firebase Extensions “Read-Only Realtime Security” Install the official extension that auto-blocks writes from non-verified apps. Saved three of my consulting clients this year alone.
I still ship every production iOS app with Firebase in 2025 — but only with the rules above. Want the exact ruleset I copy-paste into every new project? Grab it free here: → Firebase Mobile App – Production-Ready Templates
Works with SwiftUI, UIKit, Flutter, or React Native. Ship fast. Stay safe.