> Put passwords and sensitive data in gradle.properties
Bad idea. Put them in local.properties instead, and add that file to .gitignore if it is not ignored already.
Better yet, keep credentials out of your project entirely, and grab them via environment variables or whatnot on a CI server. You should not be using production credentials in your dev environment.