I have an app that is currently in the Google Play stores. I was using a local Realm with that app, without sync. This year, I was asked to implement online storage, so I started switching my app over to use sync. This process has gone reasonably smoothly, but now I’m getting random users appearing in my App Users table. The updated app is on the Google Internal test track, and not available outside 5 internal testers.
All of the users created their account and logged in within the space of 8 minutes, using Google, oauth2-google, and Android 6.0.1
The first time this happened, I thought it may have been because I accidentally added a debug signing key to the Google Cloud Platform credentials list, but I’ve eliminated that as a possibility. At no point have I shared my clientIds/secrets etc. and have only Google signed keys set up in there. I deleted all the extra users, and they didn’t reappear until this Friday, when another 16 users appeared. They appear to be the same users as the first time. It seems very odd that they would be so closely clustered together, and using the same OS version.
How could this be happening?
One important point to understand for Realm is that, once you set an Authentication Provider, it’s perfectly possible for anyone that passes that authentication to be registered as a Realm user in your app. If your testers are using different Google users to test your app, all those users will appear in your list. If you want to limit the access users can have to the data, you’ll have to set the permissions yourself.
If the app has already been uploaded to the Google Play Store, even though as Internal Test, it’s also possible that Google is performing automated checks, that will of course appear as more users in the list.
As stated above, that wasn’t necessary - any Google user can create an account within your app, once that Authentication Provider is enabled (and it’s true for any Authentication Provider). Please note that Realm users are completely separated from Atlas users, i.e. they only access your app and have the permissions you set, there’s no danger for them to go peek into parts of the database they aren’t allowed in.
Hope the above helps!
Thanks for the reply. Giving the timing of the sign ins relative to when I updated the build, it makes some sense that it could be Google automated testers. I will keep an eye on it the next time I upload a build to see if this is what is happening.