Firebase Authentication is not secure?

lucas_dnts · April 25, 2022, 2:30pm

The Firebase authentication file is visible inside the apk file.
I decided to open my application in Winrar and in the assets folder I noticed that it contained the google-services.json file with all the Firebase credentials. The question is, to what extent would that be a problem? Even if you have all the rules defined in Firebase, whoever opens the apk will have my credentials.
I searched the community about this, but I didn’t find anything related.(maybe because my English is not so good)

lucas_dnts · April 26, 2022, 12:58pm

Anyone help me with this question?

Avijit · April 26, 2022, 1:21pm

Read this question.

Income_Source · June 28, 2023, 11:47am

How hakers get you app SHA-1 key? They also need to this key

Shanmuga · June 28, 2023, 1:18pm

@lucas_dnts i too had some concerns about the Googleservices.json file.
But what i did is,
→ uploaded a dummy googleservices.json file (without any data) to the kodular creator inorder to build the app.
→ keep the original googleservices.json file in my own server or google drive or anywhere you wish. (should be downloadable)
→ Using below extension, when screen1 initialize delete the googleservices.json dummy file and download the original file from your server and make sure to name it as (google-services.json) and it will save to App Specific Directory. (use the file Download URL in obfuscated text, but use of any encryption extension is recommended [I use free [DeepHost Encryption extension](Deep Host - Extension & AIA File))

→ now your original googleservices.json file will not be in your APK, but will be usable by your app.
→ I Suggest that this tutorial is applicable not only for JSON file but also for all ASSESTS files in the app which makes it safe & secure.

Income_Source · June 28, 2023, 2:06pm

I want to let you know that “Obfuscated text” is not serure 100%. It’s a basic security options. You can’t depend on it.
Try anather method.

The_K_Studio · June 28, 2023, 2:14pm

Even if you download files later and store in ASD, it can be still accessible by the hackers if they want.

Shanmuga · June 28, 2023, 3:52pm

yes that why i use Encryption extension

Shanmuga · June 28, 2023, 3:55pm

yes i understood,
but only with APK file he can’t,
he need to install and perform some logical steps inorder to get it.
I use some indepth methods and like check for root, usb debugging, installed from playstore,etc… using clock, and delete the file if conditions not met