Is google-services.json safe from hackers?

stepheaw picture stepheaw · Aug 4, 2017 · Viewed 12.3k times · Source

If a hacker decompiled my APK would he be able to see my API keys from this file? I am not worried about my source code repository. I am just worried about a hacker being able to see this API key from my APK somehow. I'm trying to encrypt this file and decrypt it at runtime but having some issues

Answer

Julien Arzul picture Julien Arzul · Jul 17, 2019

The way that the Google plugin is set up, it will be really hard for you to hide the content of the google-services.json file. The only viable way would be to re-implement yourself what the plugin already does for you, which I wouldn't recommend. When using the plugin the way Google intends you to, it will unfortunately be easy for anyone unzipping your APK to get hold of your Firebase/Google API Key.

However, you can prevent any abusive use of that API key by configuring who can use it. For an Android app, you can specify that your API Key can be used only by an Android application that has been signed by a given keystore and using a given package name.

To configure those restrictions, follow the documentation here: https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions

On top of restricting the API Key, if you're using Firebase RTD/Firestore, you should also make sure that you configure security rules on the data store. Depending on your use-case, you can prevent anonymous user to read or write in sections of your database.

If you want more details, here is a good article I found on how to secure your API keys in an Android application: https://proandroiddev.com/developing-secure-android-apps-8edad978d8ba