Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get Google-Service.Json file in decompile apk?

I want to know that is it possible to get google-service.json file when reverse engineering on android apk. Because in firebase Google-Service json file contain all keys of project.

like image 624
user3527444 Avatar asked Mar 16 '17 04:03

user3527444


People also ask

Where is Google-services json in APK?

The google-services. json file is generally placed in the app/ directory (at the root of the Android Studio app module).

Can I share Google-services json?

The general answer is yes, the google-services. json is safe to check in to your repo and is something that should be shared among engineers on your team. The JSON file does not contain any super-sensitive information (like a server API key).


1 Answers

JSON file is not included in your APK, what happens is your google/firebase Gradle plugin reads the JSON file and inserts it in string resource file. But by reverese engineering an apk using tools like apktool, anyone can access these resource files including your string resource file and raw string you put in your java code.

If you decompile the APK, you will get these secret details from string resource files.

  <string name="google_api_key">your key</string>
  <string name="firebase_database_url">firebase db url</string>

if you added firebase ACL, only authorized user can access the data, and also the key you are using can only be used with apk that signed with your keystore ( make sure sha1 hash you generated in firebase console for android app)

EDIT: For details on acl or protecting your firebase database operations see here

like image 159
Renjith Thankachan Avatar answered Sep 28 '22 19:09

Renjith Thankachan