Secure an Application with the Pangea and Twilio Firebase Extensions

May 10, 2023
Written by
Nicolas Vautier
Contributor
Opinions expressed by Twilio contributors are their own
Reviewed by

secure an application with pangea and twilio firebase extensions header

Firebase, similar to the Pangea and Twilio platforms, helps you develop high-quality apps, grow your user base, and focus on providing your users with your unique value proposition. Each feature works independently, and they work even better together.

In this tutorial, learn how to install and utilize a combination of the Pangea provided Known Malware Detection - which relies on Pangea’s File Intel API service and the Send Messages with Twilio Extension to receive SMS notifications when your users upload a malicious file to your app’s Cloud Storage bucket.

Firebase Extensions are an easy way to add third-party services to your Firebase app without the need to write or debug code on your own. Extensions are pre-packaged solutions designed to save development time and quickly deploy functionality into your applications hosted on Firebase. You provide the configuration parameters, such as authentication tokens, for each extension at install time.

All Pangea and Twilio-provided extensions are open-sourced and built on Firebase and Google Cloud products you already know. Deployment and configuration of each extension are performed in the Firebase console or the Firebase CLI, and once deployed, they require no maintenance.

If you’d like to take a look at or contribute to the Pangea or Twilio extensions open source code, head over to their Github repositories: Pangea Firebase Extensions, Twilio Firebase Extensions

Requirements:

  • A free or paid Twilio account
  • A Twilio phone number
  • A Firebase account and project.
  • A free Pangea account

Note: If you do not have a Firebase project to test with, you can learn how to configure a starter application here.

Set up your Pangea account and Access Token

Once you’ve signed up for Pangea, log in and access the Pangea Console. Set up the File Intel service by selecting File Intel from the left-hand navigation menu.

File Intel menu in pangea console

Create an Access Token by selecting a token name, expiration date, and token scope or use the default values by selecting Done.

creating a token modal for file intel

Make a note of the service Domain located on the right side of the page and access Token located at the bottom of the page. You will use each of these values to configure the Pangea Firebase Extension in the next step.

Note: You can quickly copy each value to your system’s clipboard using the shortcuts.

Audit service dashboard

Install the Pangea Known Malware Detection Firebase Extension

Firebase Cloud Storage is designed to store and serve user-generated content with ease as you prototype and scale your application. But what happens when a user uploads a malicious file? The Pangea Known Malware Detection Extension can be configured to automatically check files uploaded by users against a database of 25 million known malicious files, and if deemed dangerous, it can be neutralized by packaging it into a password protected gzip container.

In this section, you will learn how to install and configure the Extension to leverage the Pangea File Intel Service without writing a single line of code.

Step 1: From the Known Malware Detection listing on the Firebase Extensions marketplace, click the Install in Firebase console button:

Known Malware Detection Extension page

Step 2: Select the Firebase project you'd like to deploy the Extension to:

choose project to install extension page

Step 3: Accept the Early Access acknowledgement by clicking the Next button.

installation process for extension: Early Access Partner agreement

Step 4: Review the billing and usage details, and tap the Next button. If you have not done so already, you'll be presented with the option to upgrade your Firebase account to a pay-as-you-go plan, you can do so by clicking the Upgrade project to continue button and following the instructions:

reviewi billing and usage portion of installation process

Note: If you upgrade your billing plan, you will be redirected to the Set up your billing profile section of Google Cloud Platform (GCP). After setting up your billing profile, you may need to restart the Extension install by clicking the install and repeating Step 1 and Step 2.

Step 5: Review the APIs and the resources that will be created by this Extension. If any required Firebase services are not yet enabled, tap the Enable button next to each required service and then click the Next button.

review API"s that will be enabled in extension for installation process

Step 6: In the Review access granted to this extension section, grant the extension permission to Storage and Secrets Manager by clicking the Next button.

review access granted for extension installation process

Note: The Storage Admin permission will be used to store gzip formatted files that contain and neutralize malicious files uploaded to your bucket, and the Secret Manager Secret Accessor permission is required to store your Pangea Auth Token, and optional password for any gzip files created.

Step 7: In the final step, Configure extension, of the install process, you'll be asked to provide a few parameters, some of which are optional. The first two are what region you want to deploy the Extension and where your Pangea services are deployed, respectively. The Extension should be deployed as close to your Firebase Cloud Storage, so ideally, the same region you used when you configured it. The Pangea service base Domain and Auth Token are the values you noted in the previous step but can be copied from the Pangea Console > File Intel Overview page at any time. The Pangea Auth Token and optional password to protect the gzip container should be stored in Google Secret Manager. To do so, click the Create secret button next to each input field after entering their respective value.

The rest of the parameters are either optional or have default values to dictate which buckets you want to monitor for malicious uploads, which paths to include or ignore, and whether to delete or keep a malicious file when it is detected.

configure extension with fields for token in installation process

To receive SMS notifications when a malicious file is detected, enter a valid E.164 phone number to send the notification to. An example of an E.164 formatted number in the US is +13055671234. Then, check the Enable Events box, and enable the firebase.extensions.twilio.send event. This will allow the Pangea Extension to invoke the Send Messages with Twilio Extension. 

 

enable sms event in installation process

To complete the installation, click the Install extension button. After 3-5 minutes the process will complete and the Unknown Malware Detection Extension will automatically check each file that is added to the storage bucket you configured against Pangea’s database of known malicious files. Malicious files will be neutralized and saved in the /malicious but inorder to get notified via SMS you will need to install the Send Messages with Twilio Extension. To do so, perform the steps outlined in the following section.

Install the Send Messages with Twilio Firebase Extension

Step 1: From the Send Messages with Twilio listing on the Firebase Extensions marketplace, click the Install in Firebase console button:

Twilio Firebase Extension page

Step 2: Select the Firebase project you'd like to deploy the Extension to:

Firebase project selection for Twilio extension

Step 3: Review the billing and usage details, and tap the Next button. If you have not done so already, you'll be presented with the option to upgrade your Firebase account to a pay-as-you-go plan, you can do so by clicking the Upgrade project to continue button and following the instructions:

Review billing section of Twilio Installation process

Step 4: Review the APIs and the resources that will be created by the Twilio Extension. If any required Firebase services are not yet enabled, tap the Enable button next to each required service and then click the Next button.

Review enabled APIs for Twilio extension installation

Step 5: In the Review access granted to this extension section, grant the extension permission to Firestore and Secrets Manager by clicking the Next button.

review access granted for twilio extension process

Step 6: In the final step, Configure extension, of the install process, you'll be asked to provide your Twilio Account Sid and Twilio Auth Token. Both these values can be copied from the landing page of the Twilio Console. You can also optionally provide the Twilio number or Twilio Messaging Service Sid to specify the number or service that will send the SMS notification or leave the value empty to use your default Twilio number.

Twilio extension installation - configuration section

Then to complete the installation, click the Install extension button. After 3-5 minutes the process will complete and the Send Messages with Twilio Extension will be installed and ready to accept events from the Pangea Known Malware Detection Extension. You will see both listed in the Extensions tab of the Firebase console.

Installed extensions in Firebase project console

Test the Twilio and Pangea Extensions

Instead of testing the Known Malware Detection Extension with a real malicious file or virus, you can use a file developed by the European Institute for Computer Antivirus Research (EICAR) known as the EICAR Anti-Virus test file. It was developed to test the response of computer anti-virus (AV) programs. Instead of using real malware, which could cause real damage, this test file allows you to test anti-virus software without having to use a real computer virus. To do so, do the following:

Step 1: To create the EICAR antivirus test file, create a file with this string:

5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Note: You can also download the test file directly from: eicar.com

Step 2: Using the Firebase Project Overview left-hand menu, expand the Build section, and select Storage.

Storage menu of Firebase project

Step 3: Click the Upload file button, and select the eicar-test-file.com file you downloaded in the previous step. After a few seconds, you will notice that the file was moved into a .zip file under the path you configured and you should receive an SMS notification to the number you provided. If you also choose the default extension configuration, the complete path will be /malicious/eicar-test-file_com.zip. You can download this file, inspect its contents, or send it to an incident response team for analysis.

Note: You may need to refresh the browser to load the updated paths.

Note: You can also try to upload a non-malicious file and note that the Extension does not process it and an SMS notification is not sent.

Conclusion

In this article you learned how to leverage the Pangea Known Malware Detection Firebase Extension to automatically protect your Cloud Storage bucket and get real-time SMS notifications using the Send Messages with Twilio Extension. Using the Firebase console and an anti-virus test file you were able to quickly test the use case but it is important to note that any file uploaded by users of your application will be processed in the same manner.

Regardless of your use case, whether you are building a human resources application that accepts candidate resumes that will be downloaded by a hiring manager, or a collaboration tool allowing your users to share files, regulating and minimizing the threat of malicious users on your platform is critical to ensure the trust of your users. If you’d like to explore the other Pangea or Twilio Extensions visit the official Firebase Extensions.dev marketplace listings.

Nicolas Vautier is a Developer Advocate at Pangea Cyber and is a privacy and data security enthusiast. If you have questions, comments, or ideas for future posts, Nicolas can be reached at nicolas.vautier@pangea.cloud. Follow him on Twitter @DeveloperEnvY to join his journey as he helps unify security services for app builders @PangeaCyber.