Is google-services.json confidential?

Question

Following the guide on setting up Google Analytics in an Android app (https://developers.google.com/analytics/devguides/collection/android/v4/) I am left wondering if this google-services.json file can safely be committed into source code versioning and pushed to a public GitHub repository or if this file may contain credentials or secrets.

I cannot find a definite answer elsewhere, but I can see that sample apps both commit the file (https://github.com/google/climb-tracker/blob/master/mobile/google-services.json) and others have added the file to their .gitignore.

score 33 · Answer 1 · answered Mar 12 '17 at 16:47

33

From this post it seems there's no real reason to keep this file safe. It's data will be in the APK anyway.

answered Mar 12 '17 at 16:47

Yaron

1,933
2
18
21

score 7 · Answer 2 · answered Oct 27 '16 at 12:16

Yes. At least the api_keystuff should be kept confidential.

One way to put google-services.json into your public repository and still keep it confidential is to use BlackBox.

In your app level build.gradle put a copy task in for example defaultConfig like this:

defaultConfig {
    ...
    ...
    copy {
        from "../secret/"
        into "."
        include "*.json"
    }
}

which will copy the file from your secret/ folder to the right spot.

Now, to build your app you'll have to run blackbox_edit_start google-services.json.gpg the first time you check out your repo, and after that you're good.

The `api_key` is included in your APK in the end so for most purposes it is not confidential. — Nicklas A., Apr 28 '20 at 21:20

score 4 · Accepted Answer · answered Jul 06 '16 at 15:24

4

It should be considered confidential. The json file that is generated contains an api_key that you can use to send push notifications.

If you go to Credentials page on the Google Developer Console, you'll see the key in the json file listed under API keys

answered Jul 06 '16 at 15:24

tahnok

377
4
10

7

As you can see in [this post](https://stackoverflow.com/a/37484053/5861618), the api key just identifies your Firebase project on the Google servers. It is not a security risk for someone to know it. – Rosário Pereira Fernandes Feb 18 '18 at 20:23
@RosárioPereiraFernandes but I just tested that one of the api keys listed in my google-services.json file can be used to query the Places API (and possibly other services enabled in my google project) That api key shows up in the console as "auto created by firebase" so it would be great if Google provided some guide to restrict them after Firebase creates them without any restriction at all – josue.0 Jan 21 '21 at 02:26

Is google-services.json confidential?

3 Answers3

Linked

Related