Insecure Firestore rules and App Check - the right way to go for unauthenticated database access? [duplicate]

Question

I have built an app (Android/iOS) using Flutter that allows its users to configure the app to receive a daily notification. Users can also submit a textfield. There is no requirement for users to register and authenticate.

I am using Firestore to store data from the app.

I have architected the app so that the Firestore rules allow any access:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

To prevent anyone accessing my app's Firestore instance, I have implemented App Check, and Enforcement is enabled.

I have begun to get messages from Google '[Firebase] Your Cloud Firestore database has insecure rules'.

Can anyone advise:

1. Should I ignore the warnings from Google?
2. Must I implement user registration and authentiation when it's not necessary for the app?
3. Should I architect my app in a different way?
4. Should I do something else?

Thanks,

Luke

Answer 1

1. Should I ignore the warnings from Google?

Ignoring the warning is not recommended as it may cause security issues.

If you're allowing anyone to access database, then they can take advantage and modify, or delete your data. And your database remain unsecured

2.Must I implement user registration and authentiation when it's not necessary for the app?

If it is not necessary for authenticating user for your application then you can apply some validation rules to restrict certain database nodes or you can permit role based access. In this way you can reduce security issues.

@samthecodingman has given excellent details about number of ways to tighten up database to prevent security issues in similar thread