Is it Safe to Store your google-services.json in a Public Git Repo?

I maintain an open source app called Simple Markdown. One of the things I’ve been working on for it lately is getting some CI server setup to be able to automate the testing and packaging of the app. I’ll still handle the publishing myself but I’d like to speed up the rest of the process. Anyways, given that the code is all freely available, it makes it tough to work with a CI server because I can’t store any secrets in the code. It’s generally bad practice to do so anyways but when you have a private repo and you’re the only developer then it’s usually fine. I’ve got my gradle scripts configured to automatically sign the release variants with my signing key, so that was pretty straightforward to mock out in the absence of the actual signing configuration, but I have been unable to find any way to mock out my google-services.json file, which contains the API keys and URLs for my Firebase project, which I’m currently using for error reports and analytics. As such, I began looking into the security concerns for just including it in the repo. I ran into this StackOverflow post which points to this other StackOverflow post and a Google Groups discussion, all of which seem to come to the same conclusion: the google-services.json file is not really secret, as it could easily be retrieved from your compiled APK. Seeing as it’s written on the internet, it must be true.

Just kidding, let’s investigate.

I’ll start out by downloading the Play Store version of my app onto a device. I use Proguard to obfuscate it so if I can find the google-services.json file then it’s not encrypted in any way and it’s probably just fine to publish it in my repo. Let’s grab that APK:

# Get the path to the APK:
.\adb.exe shell pm list packages -f com.wbrawner.simplemarkdown
# Pull the APK file
.\adb.exe pull /data/app/com.wbrawner.simplemarkdown-dAHkKgk5P96rLBONU3zMNw==/base.apk simplemarkdown.apk

Android Studio has a helpful way to unpack the APK and examine its contents. Just press Ctrl + Shift + A (that’s Cmd + Shift + A for those of the Apple orientation) and type “Analyze APK”

Navigate to wherever you pulled the APK file to and open it. Clearly, there’s no google-services.json file in here, so case closed, right? It’s not safe to publish it. Well, hang on a second. Let’s check the AndroidManifest.xml file… Nope, not there either. How about this resources.arsc thing? Maybe it’s in the string resources. As we scroll down a bit, a couple of values jump out at me. firebase_database_url: That matches exactly the firebase_url parameter in the google-services.jsongcm_defaultSenderId318641233555. There’s our project_numbergoogle_api_keyAIzaSyBDMcXg-10NsXLDKJRtj5WnXoHrwg3m9Os. That’s a one-to-one match for the current_key value inside api_key.

The list goes on. Given that you can, in fact, find all of the same values in the google-services.json file in the string resources, I guess that it really is safe to publish after all. If you’re a lot smarter than I am and you see that I’ve made a terrible mistake somewhere, please do let me know. In the meantime, I’ll simplify my CI setup by just committing the file.