Fix Security & Architecture Issues in Firebase/React Native App (Audit Provided) — Fixed Price

I run a UK pre-launch mobile app (iOS + Android, React Native + Firebase). An independent technical audit recently identified a number of security and architecture issues that need fixing before I can launch publicly. I have the full audit report (PDF, written in plain English with technical detail and console evidence) and will share it with shortlisted applicants under NDA. Important context — please read before applying: • The single most urgent item (open Firestore/Storage rules) is already being remediated by the original developer this week and is NOT part of this job. Do not quote for re-locking the database rules from scratch — that work is already underway. You’ll be picking up from a database that has basic per-user access rules in place, but with the deeper architectural issues below still open. • A separate small set of items (incomplete analytics, leftover test data in production) are covered under the original developer’s existing free rectification commitment and are also NOT part of this job. • This job is the remaining list: the items that were never paid for as a deliverable in the first place, and need a developer to build properly. • All work will be independently verified by a second technical reviewer before any milestone payment is released — using the same method as the original audit (Firebase rules simulator with auth switched off, screenshot evidence). Please only apply if you’re comfortable working to that standard of proof, not just a verbal “it’s done.” What needs fixing (full detail in the shared audit PDF): 1. Server-side payment/subscription verification — Premium status is currently set by a client-side write with no verification against Apple/Google that a real purchase occurred. Needs proper server-side receipt verification (Cloud Function or equivalent) so entitlement can never be self-granted. 2. Password reset brute-force vulnerability — The reset-code verification has no attempt limit or expiry, making any account guessable. Needs rate-limiting/lockout and code expiry. 3. Admin access control — Admin role is currently decided client-side. Needs to move to a server-verified custom claim or equivalent, checked on every admin function and route. 4. Secret & key hygiene — Several live API keys are hard-coded in the codebase and in a committed log file. Need rotating, moving to a managed secret store, and scrubbing from git history. 5. Unauthenticated backend functions — Most Cloud Functions (OTP send/verify, broadcast notifications, moderation, etc.) accept calls with no authentication check. Needs auth enforcement added across the board, plus Firebase App Check. 6. Hard-coded premium backdoor — A specific email address is hard-coded to receive free lifetime premium on signup. Needs removing entirely. 7. Unauthenticated broadcast notification function — Currently anyone can trigger a push notification to all users. Needs auth + admin-role check added. 8. Unauthenticated moderation function (cost/SSRF risk) — Calls paid AI/vision APIs and fetches arbitrary URLs with no auth and no allow-list. Needs auth added and the URL fetch restricted. 9. Subscription expiry logic — Currently relies on the device’s own clock, which is trivially bypassable. Needs to move to server-side, verified expiry. 10. Apple App Store compliance — Missing “Restore Purchases” control (guideline 3.1.1) and disabled Terms/Privacy links on the paywall (guideline 3.1.2). Both need re-enabling/adding correctly. 11. Code cleanup — Dead/duplicate subscription code with an incorrect product ID, stray Firebase deploy config defaulting to production, dependency version mismatches, hard-coded pricing that should read from the store. Tech stack: React Native, Firebase (Firestore, Storage, Cloud Functions, Auth), Node.js. What you’ll get from me: • Full audit PDF with technical detail, evidence, and exact file/function references for each issue • Read access to the relevant parts of the codebase and Firebase console for scoping • Direct point of contact for questions — I’m the founder, not a technical hire, so please flag anything that needs plain-English clarification Budget — please read before applying: Total budget for this job is fixed at $1,900 USD (≈£1,500), and this is a hard ceiling — it cannot be increased once work begins. If your estimate for the full list above comes in higher than that, please don’t apply expecting to negotiate up later; instead, use the “prioritisation” question below to tell me what you’d do within budget. I’d rather know now that the full list doesn’t fit $1,900 than find out at milestone 3. How this will run: • Fixed price, paid per milestone, not as one lump sum • Each milestone must be demonstrated working on a real device/build before payment, with verification evidence in the same style as the audit (e.g. rules simulator screenshots for any access-control fix) • An independent reviewer checks each milestone before I release payment — this isn’t optional and isn’t a reflection on you personally, it’s a standard I’m applying to all contractors after a prior negative experience • Clear written scope per milestone agreed before work starts on it • No scope or budget increases once work begins. If something genuinely unexpected is discovered, we pause and agree a separate, additional fixed-price arrangement for it — it doesn’t get added to this one silently.