Now, I want that read should be allowed to everyone but writing should be user specific. Like a user with mobile number +1234567890 should be allowed to change his tag(name) value only.
If I somehow don’t provide API key and url of my firebase database in the apk (source code) and it only get them while the apk runs…Is my database secure in this case?
It can be still hacked, I don’t think rules can protect a complex user database from getting hacked. The changes that you do in your FDB from app can be done from outside sources too wether you use (rules + AppCheck token) or not.