Is google-services.json safe from hackers?

Asked 4/8, 2017 at 13:46 Answered 30/3, 2020 at 12:8

android encryption google-play-services risk-analysis

If a hacker decompiled my APK would he be able to see my API keys from this file? I am not worried about my source code repository. I am just worried about a hacker being able to see this API key from my APK somehow. I'm trying to encrypt this file and decrypt it at runtime but having some issues

Clack answered 4/8, 2017 at 13:46 Comment(9)

Its not going to be ever very difficult to get anything from the app. After all, you are giving all your code (in form of APK) to an unknown person. One can always de-compile the code, understand how it works, create some scripts to mimic the API calls and get everything working. You can just delay it a bit. A better question would be about the issue, you are facing in encrypting and decryption it, and since the Firebase dependency automatically makes use of the google-services.json file, you will have to alter that somehow. – Meghannmegiddo 4/8, 2017 at 13:52

being a client-side, your API will actually be visible in your APK. If this is a sensible value, this can be a problem because APK is just a ZIP. You should keep only public keys in here. The kinda only solution i know is to implement a installation routine the first time the app is lauched, so that it dynamically loads the key from your server at that time. EDIT encrypting client-side is worse, because you'll expose your encryption method – Levity 4/8, 2017 at 13:52

@Levity oh OK. It makes sense to do an installation routine. That seems like a lot of work though, wow – Clack 4/8, 2017 at 13:59

@ZeekHuge Do you have any suggestions? – Clack 4/8, 2017 at 14:5

What benefit would a hacker get from having your API keys? Note that very well-known apps, like Telegram, also have API keys hard-coded in the app that are easy to discover. – Florrieflorry 4/8, 2017 at 14:55

@JamesKPolk It was deemed a security risk because theoretically a hacker could post firebase events with access to these keys. What if they could pull them from our system too? These firebase events may contain sensitive data so we don't want this key exposed in the google-services.json if the APK is decompiled – Clack 4/8, 2017 at 15:24

side note about my comment: of course, if you ask the key on installation, you'll have to verify that the one asking is effectively coming from your app, which.. is a bit of a recursive problem, because to add a key for asking that, well you see what i mean! I know no proper solution for this, i don't know why they used basic ZIP.. Anyway, welcome to the people who know there is no real security in internet.. all is obfuscation and machine power to factor prime numbers ;O – Levity 4/8, 2017 at 16:22

@Levity You mentioned installation routine, do you really use it for google-services.json, as these with keys are generated at compile time and used as R.string.gcm_defaultSenderId within the APK. – Exanthema 20/9, 2018 at 9:41

@Exanthema i've never used the google inner installation routine, so i cannot tell, i was talking about a custom one – Levity 28/9, 2018 at 11:39

The way that the Google plugin is set up, it will be really hard for you to hide the content of the google-services.json file. The only viable way would be to re-implement yourself what the plugin already does for you, which I wouldn't recommend. When using the plugin the way Google intends you to, it will unfortunately be easy for anyone unzipping your APK to get hold of your Firebase/Google API Key.

However, you can prevent any abusive use of that API key by configuring who can use it. For an Android app, you can specify that your API Key can be used only by an Android application that has been signed by a given keystore and using a given package name.

To configure those restrictions, follow the documentation here: https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions

On top of restricting the API Key, if you're using Firebase RTD/Firestore, you should also make sure that you configure security rules on the data store. Depending on your use-case, you can prevent anonymous user to read or write in sections of your database.

If you want more details, here is a good article I found on how to secure your API keys in an Android application: https://proandroiddev.com/developing-secure-android-apps-8edad978d8ba

Preterition answered 17/7, 2019 at 2:24 Comment(2)

Firebase security rules are the way to go. If somebody wants to try to exploit my API key in anyway that's fine because security rules in place will prevent read/write access – Clack 27/9, 2019 at 3:33

@Clack can you give an example of firebase security rules for firestore and real time database that address this issue? Thanks – Keri 2/8, 2022 at 18:37

According to Firebase documentation here:

When you connect an app to your Firebase project, the Firebase console provides a Firebase configuration file (Android/iOS) or a configuration object (web) that you add directly into your local project.

For iOS, you add a GoogleService-Info.plist configuration file

For Android, you add a google-services.json configuration file

A Firebase config file or config object associates your app with your Firebase project and its resources (databases, storage buckets, etc.).

And then it identifies the content as public:

The content is considered public, including your platform-specific ID (entered in the Firebase console setup workflow) and values that are specific to your Firebase project, like your API Key, Realtime Database URL, and Storage bucket name.

Remember that, if you use Realtime Database, Cloud Firestore, or Cloud Storage, you still need to follow the security guidelines described by Firebase.

Also note that, although they are public for your application, these files should not be made available on public repositories of open source projects.

Hap answered 5/9, 2019 at 19:6 Comment(3)

It is adding to the discussion since I added Google's information that "The content is considered public". Since the file content is considered public, it answers the question that this file can be exposed. Regarding why it should not be on a public repository, it is a different issue. Anyone that clones your repository should create their own file to access their Firebase account. So adding this file to a public repository is not useful and should be avoided. – Hap 27/9, 2019 at 7:39

Is there anything I could do along with uploading code to the private repo, I am using react-native for iOS & Android. – Felucca 26/10, 2021 at 9:36

As far I know it is okay to include the json file to a public repository, the really way to secure it is by setting the SHAs in both Firebase console and Cloud console plus putting some effort on security rules of the database. You can also check this answer: https://mcmap.net/q/143674/-should-i-add-the-google-services-json-from-firebase-to-my-repository – Keri 2/8, 2022 at 18:41

Everything in the app can be read in a very easy way, so as Google suggests you must avoid to put information in the apk, especially server key in case of firebase/google cloud messaging or services of this kind..

Aphid answered 4/8, 2017 at 13:55 Comment(3)

I agree, but this is confusing for me...Is there a way I can mask the keys in the google-services.json? And replace them with some other value at runtime? Or is that file used during buildtime?/ – Clack 4/8, 2017 at 13:59

@Clack Did you find any update how to safeguard google-services.json keys – Exanthema 20/9, 2018 at 10:50

Our solution was a buildtime routine that would swap out the keys. Although..our method for encryption was embedded inside the app. So regardless, it did not make it completely safe It just added another layer a hacker would need to go though. Although, since this time, I have been on a few other project teams - and they are not so concerned about these keys. Some companies have very strict policies and security reviews, and the people often reviewing these things don't have an understanding of what they are used for -- they just know they shouldn't be in plain text. – Clack 12/10, 2018 at 13:33

It's clearly not safe but you have no choice so it's important to limit your license keys.

Unzip your apk (either rename it to .zip and open, or from bash unzip [your apk path])

Now - le coup the grace: Find a file (in the root of the zip) named resources.arsc and open it with any editor that agrees to open it. Even TextEdit or Atom are enough. Search for AIza and here it is. With your user ID's.

... or the less Hacker-style method: Just drag and drop your APK to Android Studio. You can see everything inside: In resources.arsc you will find all the keys and values, all your strings, all your integers... all in easy beautiful GUI.

The bigger question: is there a way to tell ProGuard to obfuscate it efficiently. Or is there a way to encrypt it with a secret key shared with a server.

Ekaterinburg answered 30/3, 2020 at 12:8 Comment(2)

Any solution for this problem – Instrumentation 14/2, 2022 at 9:4

It is unsafe if you do not limit the API keys inside that json file using the Cloud console – Keri 2/8, 2022 at 18:44

Recommended topics

Hot tags