The Firebase authentication file is visible inside the apk file.
I decided to open my application in Winrar and in the assets folder I noticed that it contained the google-services.json file with all the Firebase credentials. The question is, to what extent would that be a problem? Even if you have all the rules defined in Firebase, whoever opens the apk will have my credentials.
I searched the community about this, but I didn’t find anything related.(maybe because my English is not so good)
Anyone help me with this question?
Read this question.
How hakers get you app SHA-1 key? They also need to this key
@lucas_dnts i too had some concerns about the Googleservices.json file.
But what i did is,
→ uploaded a dummy googleservices.json file (without any data) to the kodular creator inorder to build the app.
→ keep the original googleservices.json file in my own server or google drive or anywhere you wish. (should be downloadable)
→ Using below extension, when screen1 initialize delete the googleservices.json dummy file and download the original file from your server and make sure to name it as (google-services.json) and it will save to App Specific Directory. (use the file Download URL in obfuscated text, but use of any encryption extension is recommended [I use free [DeepHost Encryption extension](Deep Host - Extension & AIA File))
→ now your original googleservices.json file will not be in your APK, but will be usable by your app.
→ I Suggest that this tutorial is applicable not only for JSON file but also for all ASSESTS files in the app which makes it safe & secure.
I want to let you know that “Obfuscated text” is not serure 100%. It’s a basic security options. You can’t depend on it.
Try anather method.
Even if you download files later and store in ASD, it can be still accessible by the hackers if they want.
yes that why i use Encryption extension
yes i understood,
but only with APK file he can’t,
he need to install and perform some logical steps inorder to get it.
I use some indepth methods and like check for root, usb debugging, installed from playstore,etc… using clock, and delete the file if conditions not met