Protecting google-services.json in Android Apps

TL;DR

Yes, your google-services.json file can be detected after someone reverse engineers your Android app. However, there are several techniques to make it much harder for attackers to extract and use this sensitive information. This guide explains how to protect it.

Understanding the Risk

The google-services.json file contains crucial API keys and configuration details for Firebase services (like authentication, databases, push notifications). If an attacker gets hold of this file, they can:

• Use your app’s resources without permission, potentially racking up costs.
• Compromise user data if the file contains sensitive credentials.
• Create fake versions of your app.

Steps to Protect Your google-services.json

1. Don’t Commit it to Version Control: This is the most basic step. Never, ever add google-services.json to Git or any other version control system.
2. Obfuscate Your Code: Code obfuscation makes it harder for attackers to understand your app’s logic and find sensitive data.
   • Use ProGuard/R8 (built into Android Studio). Configure it properly to remove unused code and rename classes and methods.
   • Consider commercial obfuscators for stronger protection.
3. Native Code Integration: Store the file’s contents in native libraries (C/C++).

   This makes it significantly harder to extract because native code is more difficult to reverse engineer than Java/Kotlin.

   • Move sensitive data processing logic into your native library.
   • Use JNI (Java Native Interface) to access the data from your Java/Kotlin code.

     // Example JNI call in Kotlin
     external fun getApiKey(): String
     

4. Split APKs and App Bundles: Using split APKs or app bundles can help by separating the configuration file into a different module.
   • Attackers may target only the main APK, leaving the configuration less exposed.
5. Server-Side Configuration: The most secure approach is to move as much configuration as possible to your server.

   Your app fetches these settings at runtime.

   • This eliminates the need for a google-services.json file altogether.
   • Implement proper authentication and authorization on your server.
6. Firebase Remote Config: Use Firebase Remote Config to manage certain parameters.
   • This allows you to update settings without releasing a new app version.
   • It doesn’t completely replace google-services.json, but reduces its scope.
7. Check for Debuggable Flags: Ensure your release builds are not debuggable.

   A debuggable app is much easier to reverse engineer.

   • In your build.gradle file:

     android {
         ... 
         buildTypes {
             release {
                 debuggable false
             }
         }
     }

8. Tamper Detection: Implement checks to detect if the app has been tampered with.
   • Use checksums or other integrity verification methods.
   • If tampering is detected, refuse to run or disable critical features.

Important Considerations

• No solution is foolproof: Reverse engineering is always a possibility. The goal is to make it difficult and time-consuming enough that attackers move on to easier targets.
• Regularly review your security practices: Stay up-to-date with the latest threats and vulnerabilities.