Publish the “google-services.json” file of an Android app project or not?
The only meaningful answer to this often discussed topic
If you are an Android developer and you have ever worked with a Google service like Firebase you may have come across an automatically created file called google-services.json.
More about this file
This file is needed to authenticate your app to use the Google services, it is basically just a list of configurations which looks like this (an excerpt of an example google-services.json file of the android quickstart samples for firebase):
The common concerns
If you have once successfully implemented it in your Android app you mostly don’t have to deal with it again…
One of the exceptions is the publication or also private sharing of your app (as an open source project, for private collaboration with your friends, etc.). Because if you have never informed yourself about this file you may think that it contains sensitive data and nobody should be able to access it.
It is even part of the official gitignore file for Android…
…, BUT by default it is commented, because it should only be excluded if you publish a template where users should be able to use their own google-services.json file to connect their code to own projects. Here’s a comment of the firebase team:
For a library or open-source sample we do not include the JSON file because the intention is that users insert their own to point the code to their own backend.
That’s why you won’t see JSON files in most of our firebase repos on GitHub.
But many developers don’t know that and simply add it to their gitignore (and don’t upload the google-services.json file).
Should you publish it?
Yes. It is safe and makes it easier for everyone to contribute and work together with you (or others developers).
In the Firebase documentation it says (link to the article)…
The content of the Firebase config file or object is considered public, including the app’s platform-specific ID (iOS bundle ID or Android package name) and the Firebase project-specific values, like the API Key, project ID, Realtime Database URL, and Storage bucket name. Given this, use security rules to protect your data and files in Realtime Database, Cloud Firestore, and Cloud Storage.
So instead of keeping the file private, you better should implement security guidelines for your databases.
Other reasons why you should publish it are the following…
Why you should not exclude it
If others want to work with your published project and try to launch the app, Android Studio will throw the following error:
File google-services.json is missing. The Google Services Plugin cannot function without it.The workaround is to create an own google-services.json file and use it to be able to contribute, but the easier way is definitely just publishing the file for everyone to use.
Why it is not unsecure
The publication of this file is not unsecure because it can be found as plain strings in every .apk file (assuming this app needs this file).
Steps to find the google-services.json content in an .apk file:
Step 1: Drag and drop the .apk file into Android Studio (it will automatically start to inspect it)
Step 2: By selecting resources.arsc you get a list of all resources where you can also find the entry string.
Step 3: Now search for entries with the prefix firebase_ and google_. There you can find the api key, the firebase project url, etc.
If we now quickly take a look at my google-services.json file we can find exactly those entries in there:
Conclusion
As shown in this article publishing the google-services.json file is no problem because it is considered public and can easily be extracted from any .apk file.
Thanks for reading my very first article, HAPPY DEVELOPING!
