Login/Register
Is google-services.json confidential?
Asked Answered
Solved androidgoogle-analyticsgoogle-analytics-firebasegoogle-play-services
E

5

46

Following the guide on setting up Google Analytics in an Android app (https://developers.google.com/analytics/devguides/collection/android/v4/) I am left wondering if this google-services.json file can safely be committed into source code versioning and pushed to a public GitHub repository or if this file may contain credentials or secrets.

I cannot find a definite answer elsewhere, but I can see that sample apps both commit the file (https://github.com/google/climb-tracker/blob/master/mobile/google-services.json) and others have added the file to their .gitignore.

Electrician answered 1/5, 2016 at 7:40 Comment(0)
K
2

It should be considered confidential. The json file that is generated contains an api_key that you can use to send push notifications.

If you go to Credentials page on the Google Developer Console, you'll see the key in the json file listed under API keys

Kibitka answered 6/7, 2016 at 15:24 Comment(2)
As you can see in this post, the api key just identifies your Firebase project on the Google servers. It is not a security risk for someone to know it.Rosalba
@RosárioPereiraFernandes but I just tested that one of the api keys listed in my google-services.json file can be used to query the Places API (and possibly other services enabled in my google project) That api key shows up in the console as "auto created by firebase" so it would be great if Google provided some guide to restrict them after Firebase creates them without any restriction at allBlayne
G
40

From this post it seems there's no real reason to keep this file safe. It's data will be in the APK anyway.

Gottwald answered 12/3, 2017 at 16:47 Comment(1)
I aggree with this statement, but there is one thing to consider. When publishing e.g. to GitHub make sure to remove the file either way. If somebody forks your repo, e.g. their crash reports will show up in your Firebase. If they are malicious they get this file either way, but this prevents accidental use and keeps your logs clean.Academy
Q
6

Yes. At least the api_keystuff should be kept confidential.

One way to put google-services.json into your public repository and still keep it confidential is to use BlackBox.

In your app level build.gradle put a copy task in for example defaultConfig like this:

defaultConfig {
    ...
    ...
    copy {
        from "../secret/"
        into "."
        include "*.json"
    }
}

which will copy the file from your secret/ folder to the right spot.

Now, to build your app you'll have to run blackbox_edit_start google-services.json.gpg the first time you check out your repo, and after that you're good.

Quetzal answered 27/10, 2016 at 12:16 Comment(1)
The api_key is included in your APK in the end so for most purposes it is not confidential.Alkanet
M
3

google-services.json isn't confidential, but one should limit the API keys to the package name & signature. When not restricting these API keys, they could be extracted from the package and used (and also billed).

Maund answered 27/7, 2022 at 12:33 Comment(0)
K
2

It should be considered confidential. The json file that is generated contains an api_key that you can use to send push notifications.

If you go to Credentials page on the Google Developer Console, you'll see the key in the json file listed under API keys

Kibitka answered 6/7, 2016 at 15:24 Comment(2)
As you can see in this post, the api key just identifies your Firebase project on the Google servers. It is not a security risk for someone to know it.Rosalba
@RosárioPereiraFernandes but I just tested that one of the api keys listed in my google-services.json file can be used to query the Places API (and possibly other services enabled in my google project) That api key shows up in the console as "auto created by firebase" so it would be great if Google provided some guide to restrict them after Firebase creates them without any restriction at allBlayne
D
1

The values from google_services.json are stored in plain text in the resources.arsc file. That file is stored encrypted into the apk and it can be read just by unzip-ing the apk. I would say that because of that reason it could not hold valuable data.

Demodulation answered 27/7, 2022 at 12:16 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.