Account restricted after Safe Browsing flag on internal Firebase web app — seeking guidance

Hi everyone,

I’m looking for advice or next steps on a situation I’m currently facing with my Firebase and Google Cloud setup.

I developed an iOS, Android, and web application for internal organizational use. The web app had been functioning smoothly for almost two months before, last Wednesday, it was suddenly flagged by Google Safe Browsing for containing deceptive or phishing content. The app does not collect any user data or perform any actions resembling phishing or social engineering—it’s only used internally to view and manage data stored in Firebase.

After the flag appeared, I followed the recommended site verification process to confirm ownership, but all verification methods failed—likely because the site was blocked and couldn’t be rebuilt properly. Based on Gemini’s responses, the verification failure seemed to be due to the blocked state of the site.

I audited all code, authentication logic, and Firebase configurations to ensure full compliance, then submitted an appeal. After not hearing back for several days, I temporarily hosted the same web app in a different Firebase folder for internal testing only, while waiting for the review.

Earlier today, our organization started enabling Enhanced Support to get direct help from Google. However, by the afternoon, just as permissions were being configured, the entire account was restricted, which halted access to Firebase, the in-progress Android app build, and the linked iOS app project.

As the sole developer and only person with access to the code, I’m confident the app doesn’t engage in any malicious, deceptive, or data-collecting behavior. It’s strictly for internal use and doesn’t interact with external users.

Has anyone experienced something similar? Is there a recommended way to contact Google directly or provide verification when Safe Browsing prevents access? I’d appreciate any insights or escalation paths that could help resolve this.

Thanks in advance for your time and guidance.
Pravar

Wow, Pravar, this sounds like an incredibly frustrating and challenging situation, especially with your entire account being restricted. It’s truly a nightmare when something meant for internal use gets caught up in automated flagging systems, and then escalates to this level, halting all your critical development.

Let’s break this down and figure out some potential next steps.

Immediate Priority: Account Restriction

The full account restriction is the most critical issue right now, as it’s blocking everything.

• Leverage Enhanced Support: You mentioned your organization started enabling Enhanced Support. This is absolutely the right path.

  • Escalate Internally: Ensure the internal team responsible for Google Cloud accounts and billing within your organization is pushing this with Google as hard as possible. You need direct communication with a human at Google who can understand the nuance of your situation.

  • Provide Context Immediately: As soon as you get through to a support agent, clearly and concisely explain the timeline: Safe Browsing flag → failed verification → temporary hosting → then the account restriction. Emphasize that the restriction occurred while you were trying to get help via Enhanced Support, which is particularly ironic and disruptive.

  • Identify Critical Impact: Highlight the immediate business impact: halting iOS and Android app builds, blocking access to crucial Firebase data, and stopping internal operations. This often helps to convey the urgency to support teams.

Addressing the Safe Browsing Flag (Once Account Access is Restored)

Once you regain access, you’ll need to deal with the Safe Browsing flag more directly.

• Documentation is Key: Prepare comprehensive documentation outlining:

  • The app’s sole purpose for internal organizational use.

  • The complete lack of external user interaction or data collection.

  • Your strict authentication protocols (e.g., Firebase Authentication with internal identity providers, if applicable).

  • The exact code base and Firebase configurations that demonstrate compliance.

• Direct Appeal with Context: When you re-submit your appeal (or follow up on the existing one), make sure you can include this detailed explanation. If possible, point them to specific files or configurations that prove its benign nature.

• Alternative Verification: If the firebaseapp.com domain remains problematic for verification due to the block, you might need to temporarily deploy a very simple static file (like an index.html with a meta tag for verification) to a different, non-Firebase custom domain you control, just to pass the ownership verification for the Google Search Console. Once verified, you can provide the necessary details for the Safe Browsing team.

proactively Preventative Measures Moving Forward

Once this is resolved, you might consider these steps to prevent recurrence:

• Custom Domain for Internal Apps: If you’re not already, consider using a custom domain for your internal web apps instead of the default *.firebaseapp.com domain. This can sometimes provide a clearer separation and less chance of being generically flagged.

• Google Search Console & Safe Browsing: Even for internal apps, it might be worth regularly monitoring the Google Search Console for any unexpected issues related to your domain. This can give you an early heads-up.

• Explicitly Inform Google: Is there a way, perhaps through Cloud Support, to register your application as an “internal-only tool” or similar classification to prevent it from being scanned by public-facing tools like Safe Browsing? This might be a question for your Enhanced Support contact.

This is a tough spot, Pravar, but getting direct human intervention through Enhanced Support is your strongest play. Don’t hesitate to push for escalation if you’re not getting a clear path forward.

Please keep me updated on how things progress, and if there’s anything else I can help you research or draft, let me know!