how to protect the google api key in google-service.json

[hackneal]

As described in #1583, the API key are hard-coded in the google-service.json. And it can be obtained easily by just decompiling the apk file.

Is there any way to protect these keys in google-service.json?

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[thatfiredev]

@hackneal the API key is considered public and doesn't need to be secured, as described in our docs. You just have to make sure to secure your database/storage service with Security Rules.
Additionally, you might want to add Firebase App Check to protect your backend from abuse.

[argzdev]

@hackneal, probably another alternative is you could use FirebaseOptions so you won't have to use a google-service.json, however please note that this not work for Firebase Analytics.

EDIT: Sorry, an API key is a required parameter for Firebase options, so my suggestion is irrelevant.

That said, I believe thatfiredev's suggestion answers this question, so I'll close this issue now. Feel free to ask this to be reopened if you think this doesn't work or there's any clarifications needed. Thanks!

[hackneal]

The document doesn't describe the key as public. Could the key be utilized to call the API service?

[thatfiredev]

See the paragraph right after the bulletpoints (and after the red warning). It states:

The content of the Firebase config file or object is considered public, including the app's platform-specific ID (Apple bundle ID or Android package name) and the Firebase project-specific values, like the API Key, project ID, Realtime Database URL, and Cloud Storage bucket name.

We also have a documentation page dedicated to API Keys.

---

hackneal: Could the key be utilized to call the API service?

Not sure what you mean by "API service", but if you're talking about the REST API, then no. API Keys can't be used to call our REST APIs - their authentication requires either a Google OAuth2 access token or a Firebase ID token (see docs).
But note that a Firebase ID token can be generated from a client app with the correct API Key. That's why it's important to set up Security Rules and App Check. We have an ongoing series of videos about app security on our Youtube channel, it's called Better Safe Than Sorry, I would recommend checking it out. :)