Firebase secures its real-time back-end service

Firebase, the San Francisco startup behind a popular backend for real-time apps, is adding an API which should make those apps more secure. Firebase’s service is s a real-time analog to mobile backends-as-a-service from Parse, Stackmob, Kii and Kinvey. It’s gained traction among developers who want to build apps quickly with immediate feedback — they write code in one window and it renders in another. Developers says this provides an elegant way to build apps without having to mess with servers. But that model poses some security concerns, which Firebase says its new API will address.

firebasescreenAs Firebase Co-Founder James Tamplin described it, the company built a JavaScript-like rules system that assigns every piece of data in Firebase with one or more rules. “Eg. ‘Only let a user use the app if they’re logged in or ‘only allow 5-digit numbers entered in a field,'” Tamplin told me via email.

Aris Samad, CEO of QuickSchools, which built a school management system that enables class scheduling with real-time updates, was thrilled to hear the news. While QuickSchools password-protected its apps, Firebase needed to address security so that more apps could go into production, Samad told me.

In a blog post announcing the API, Firebase said its security model,

“lets you build secure apps where the client talks directly to the database (Firebase). This is a shift from the normal three-tier architecture (client, server & database) and it makes running your own servers optional for many apps which, in turn, removes the application server as a scaling botttleneck.”

Firebase competes with PubNubPusher and but in many cases developers who turned to Firebase — count Quickschools’ Samad among them — would otherwise have cobbled together their own real-time backend, a chore they have little stomach for. Nathan Bashaw, who this week helped launch Scratchpad, a real-time HTML CSS editor that helps people write code in one window and see it render in another, said Firebase streamlines that whole process. “It cuts out lots of steps, cutting and pasting, sending snippets to other devs and refreshing everything all along,” he said.

Firebase, which launched its code in April, is a Y Combinator 2011 alum, and has raised $1.4 million from Greylock, NEA, Flybridge and angels including Amr Awadallah, CTO of Cloudera.

The new API will be available Tuesday and if it works as advertised, there will be a lot more Firebase mobile apps in production soon.