Is google-services.json confidential?

Question

Following the guide on setting up Google Analytics in an Android app (https://developers.google.com/analytics/devguides/collection/android/v4/) I am left wondering if this google-services.json file can safely be committed into source code versioning and pushed to a public GitHub repository or if this file may contain credentials or secrets.

I cannot find a definite answer elsewhere, but I can see that sample apps both commit the file (https://github.com/google/climb-tracker/blob/master/mobile/google-services.json) and others have added the file to their .gitignore.

Answer 1

From this post it seems there's no real reason to keep this file safe. It's data will be in the APK anyway.

Answer 2

Yes. At least the api_keystuff should be kept confidential.

One way to put google-services.json into your public repository and still keep it confidential is to use BlackBox.

In your app level build.gradle put a copy task in for example defaultConfig like this:

defaultConfig {     ...     ...     copy {         from "../secret/"         into "."         include "*.json"     } } 

which will copy the file from your secret/ folder to the right spot.

Now, to build your app you'll have to run blackbox_edit_start google-services.json.gpg the first time you check out your repo, and after that you're good.