Is google-services.json safe from hackers?

Question

If a hacker decompiled my APK would he be able to see my API keys from this file? I am not worried about my source code repository. I am just worried about a hacker being ab

Answer 1

The way that the Google plugin is set up, it will be really hard for you to hide the content of the google-services.json file. The only viable way would be to re-implement yourself what the plugin already does for you, which I wouldn't recommend. When using the plugin the way Google intends you to, it will unfortunately be easy for anyone unzipping your APK to get hold of your Firebase/Google API Key.

However, you can prevent any abusive use of that API key by configuring who can use it. For an Android app, you can specify that your API Key can be used only by an Android application that has been signed by a given keystore and using a given package name.

To configure those restrictions, follow the documentation here: https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions

On top of restricting the API Key, if you're using Firebase RTD/Firestore, you should also make sure that you configure security rules on the data store. Depending on your use-case, you can prevent anonymous user to read or write in sections of your database.

If you want more details, here is a good article I found on how to secure your API keys in an Android application: https://proandroiddev.com/developing-secure-android-apps-8edad978d8ba

Answer 2

Everything in the app can be read in a very easy way, so as Google suggests you must avoid to put information in the apk, especially server key in case of firebase/google cloud messaging or services of this kind..

Answer 3

According to Firebase documentation here:

When you connect an app to your Firebase project, the Firebase console provides a Firebase configuration file (Android/iOS) or a configuration object (web) that you add directly into your local project.

• For iOS, you add a GoogleService-Info.plist configuration file

• For Android, you add a google-services.json configuration file

A Firebase config file or config object associates your app with your Firebase project and its resources (databases, storage buckets, etc.).

And then it identifies the content as public:

The content is considered public, including your platform-specific ID (entered in the Firebase console setup workflow) and values that are specific to your Firebase project, like your API Key, Realtime Database URL, and Storage bucket name.

Remember that, if you use Realtime Database, Cloud Firestore, or Cloud Storage, you still need to follow the security guidelines described by Firebase.

Also note that, although they are public for your application, these files should not be made available on public repositories of open source projects.

Answer 4

It's clearly not safe but you have no choice so it's important to limit your license keys.

Unzip your apk (either rename it to .zip and open, or from bash unzip [your apk path])

Now - le coup the grace: Find a file (in the root of the zip) named resources.arsc and open it with any editor that agrees to open it. Even TextEdit or Atom are enough. Search for AIza and here it is. With your user ID's.

... or the less Hacker-style method: Just drag and drop your APK to Android Studio. You can see everything inside: In resources.arsc you will find all the keys and values, all your strings, all your integers... all in easy beautiful GUI.

The bigger question: is there a way to tell ProGuard to obfuscate it efficiently. Or is there a way to encrypt it with a secret key shared with a server.