22

I want to know that is it possible to get google-service.json file when reverse engineering on android apk. Because in firebase Google-Service json file contain all keys of project.

icodebuster
  • 8,890
  • 7
  • 62
  • 65
user3527444
  • 269
  • 1
  • 4
  • 7

1 Answers1

26

JSON file is not included in your APK, what happens is your google/firebase Gradle plugin reads the JSON file and inserts it in string resource file. But by reverese engineering an apk using tools like apktool, anyone can access these resource files including your string resource file and raw string you put in your java code.

If you decompile the APK, you will get these secret details from string resource files.

  <string name="google_api_key">your key</string>
  <string name="firebase_database_url">firebase db url</string>

if you added firebase ACL, only authorized user can access the data, and also the key you are using can only be used with apk that signed with your keystore ( make sure sha1 hash you generated in firebase console for android app)

EDIT: For details on acl or protecting your firebase database operations see here

Renjith Thankachan
  • 4,178
  • 1
  • 30
  • 47
  • 1
    Is it dangerous for security for firebase database ? Can anyone access my firebase project database using this secret ? – user3527444 Mar 16 '17 at 06:43
  • 2
    if you added firebase ACL, no problem only authorized user can access the data, and also the key you are using can only be used with apk that signed with your keystore ( make sure sha1 hash you generated in firebase console for android app) – Renjith Thankachan Mar 16 '17 at 07:31
  • @IAmBatman can you tell what is ACL or can you give a link for documentation for ACL or any example?. – Vivek Barai Feb 15 '18 at 08:30
  • edited the answer to include the link, @VívêkBåräì let me know if you need more details in comments – Renjith Thankachan Feb 15 '18 at 13:00
  • is it possible to replace my own google_api_key(and other needed slots) for the decompile apk? because I decompile some apk and the Google sign in service does not work. – user487363 Jan 11 '20 at 07:30
  • @user487363 If you are able to decompile the apk successfuly, you can replace the key but that depends on how good your decompiler is ! – Renjith Thankachan Jan 13 '20 at 07:04
  • i use apktool, and i tried to register my key at google api website, then replace them. It works fine so far. But not only the api_key to replace, there are some items needs to be replaced, like project_id, storage_bucket, client_id...etc – user487363 Jan 14 '20 at 08:21
  • if i used email and password from meta how we can read data then ? – Ahmad Jun 12 '20 at 14:49
  • That helped a lot! Thanks a bunch! – helloWorld Jun 18 '20 at 10:38
  • @Ahmad do not store email & password in string resource file or even inside apk, If this is about user credentials or something ( properway is to store user auth token instead) you can use encrypted database file (sqlite) – Renjith Thankachan Aug 01 '21 at 01:36
  • Having followed this I then ran `DatabaseReference ref = FirebaseDatabase.instance.ref();` then `DatabaseEvent event = await ref.once();`. I get nothing when I print `event.snapshot.data` . This is in flutter. Is this what happens when ACL is on? – West Jan 03 '22 at 03:45
  • @West yes, ACL restricts resources from using publicly, you need valid/authorized user session (that satisfies rule set in Firebase) – Renjith Thankachan Jan 15 '22 at 03:38
  • "Can anyone access my firebase project database using this secret ?" Your DB security is not determined by some secret key, which is a terrible solution. It is determined by what you allow per your security rules at the API level; ideal since your servers and clients don't need to replicate or enforce access rules. – Kato Aug 25 '22 at 17:45