Is google-services.json safe from hackers?

Question

Is google-services.json safe from hackers?

If a hacker has decompiled my APK, can he see my API keys from this file? I am not worried about my source code repository. I'm just worried that a hacker might see this API key from my APK in some way. I am trying to encrypt this file and decrypt it at runtime but with some problems

+11

android google-play-services encryption risk-analysis

stepheaw 04 Aug 17 at 13:46

source to share

4 answers

Julien arzul · Answer 1 · 2019-07-17T02:24:20+0000

When configuring the Google plugin, it will be very difficult for you to hide the content of the file google-services.json

. The only viable way would be to re-implement what the plugin has already done for you, which I would not recommend. When you use the plugin the way Google wants it, anyone, unfortunately, can easily unzip your APK to get your Firebase / Google API key.

However, you can prevent any abuse of this API key by specifying who can use it. For an Android app, you can specify that your API key can only be used by an Android app that has been signed by a specific keystore and uses the specified package name.

To configure these restrictions follow the documentation here: https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions

Besides API key restriction, if you are using Firebase RTD / Firestore you should also make sure that you have configured security rules for the data store. Depending on your use case, you can prevent the anonymous user from reading or writing to your database sections.

If you'd like more information, here's a good article I found on how to secure your API keys in an Android app: https://proandroiddev.com/developing-secure-android-apps-8edad978d8ba

greywolf82 · Answer 2 · 2017-08-04T13:55:26+0000

Everything in the app can be read very simply as google suggests you to avoid putting information in apk, especially server key, in case of firebase / google cloud exchange service or services of this kind.

fhsilva · Answer 3 · 2019-09-05T19:06:41+0000

According to the Firebase documentation here :

When you connect an app to your Firebase project, the Firebase console provides a Firebase config file (Android / iOS) or a config object (web) that you add directly to your local project.

For iOS add config file GoogleService-Info.plist

For android you add the google-services.json config file

A Firebase config file or config object links your app to your Firebase project and its resources (databases, repositories, etc.).

And then it identifies the content as public:

Content is considered public, including your platform ID (entered in your Firebase console setup workflow) and values specific to your Firebase project, such as API key, live database URL, and storage bucket name.

Remember, if you're using a real-time database, Cloud Firestore, or Cloud Storage, you still need to follow the security guidelines outlined by Firebase.

Also note that although they are publicly available to your application, these files should not be available in the public repositories of open source projects.

hardik sojitra · Answer 4 · 2018-04-14T05:45:47+0000

Use Firebase and add Fingerprint after generated keystore file, add 256 using project and store value in Firebase.

-4

hardik sojitra Apr 14. '18 at 5:45

source to share

Is google-services.json safe from hackers?

More articles: