I want to know that is it possible to get google-service.json
file when reverse engineering on android apk. Because in firebase Google-Service json file contain all keys of project.
The google-services. json file is generally placed in the app/ directory (at the root of the Android Studio app module).
The general answer is yes, the google-services. json is safe to check in to your repo and is something that should be shared among engineers on your team. The JSON file does not contain any super-sensitive information (like a server API key).
JSON file is not included in your APK, what happens is your google/firebase Gradle plugin reads the JSON file and inserts it in string
resource file.
But by reverese engineering an apk using tools like apktool
, anyone can access these resource files including your string resource file and raw string you put in your java code.
If you decompile the APK, you will get these secret
details from string resource files.
<string name="google_api_key">your key</string>
<string name="firebase_database_url">firebase db url</string>
if you added firebase ACL, only authorized user can access the data, and also the key you are using can only be used with apk that signed with your keystore ( make sure sha1 hash you generated in firebase console for android app)
EDIT: For details on acl or protecting your firebase database operations see here
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With