Secure your firebase's google-services.json file in android
Nowadays firebase is commonly used in android projects as it provides a quick solution for logging crashes, providing a database for storing app’s data, and for many other things also. The most commonly used way for implementing the firebase in the android app includes downloading the google-services.json file from the firebase console and placing it in our project’s app directory. This file is responsible for auto initializing the firebase on app startup.
But do you know that this file contains some important keys and URLs that should not be leaked as it may tamper with the security of your app? Also, have you ever wondered how easy is it to get those keys and URLs from your app with the help of reverse engineering?
If you decompile your apk using some reverse engineering tools like Apktool, then you will find that those keys are present in your app’s strings.xml file as you can see below —
And it can be extracted by anyone and may tamper with the security of your app.
How do keys and URLs get stored in strings.xml?
So, what happens basically is, firebase will put these keys from the google-services.json file in the strings.xml file at compile time and use these at the time of auto initializing.
So, is it possible to stop this so that these keys and URLs cannot be retrieved from our app which can help in reducing the chances of tampering with the app?
And the answer is YES.
How can this be done?
The first step is to get the required keys from the google-services.json file as specified below and store them in your app. You can check out my previous article to know how to securely store secret keys in android.
After storing these keys in your app, you can delete the google-services.json file from your app. Also, if you have added the below line in your app-level build.gradle file, then you have to remove this.
apply plugin: ‘’
Now you want to disable auto initialization of firebase by adding the below code to manifest file —
Now the final step is to manually initialize the firebase by placing the respective keys that you have previously gotten from the google-services.json file —
Note — If you have added firebase crashlytics in your project, then you have to add the following code in your app-level ‘build.gradle’ file to prevent the automatic uploading of mapping file to firebase crashlytics at release time:-
android {
buildTypes {
release {
firebaseCrashlytics {
mappingFileUploadEnabled false
But after preventing the automatic upload of the mapping file, your info will not be preserved and you will no longer see a particular line number and the activity name where the crash occurs as you can see in the below screenshot —
But don’t worry, in order to preserve the info and get the proper crash reports, you have to add the following code to your app’s file —
Update — 13/02/2022
If you are getting obfuscated crash reports in firebase crashlytics, then you might need to upload a mapping file to firebase manually after generating the apk. But since firebase has not provided any official documentation for this, we are gonna use android studio to customize the gradle task of uploading the mapping file so that this can be achieved.
But before starting, let’s see what happens in the background when you generate an apk —
So, basically, when you generate an apk, then firebase crashlytics generates an UUID with the help of injectCrashlyticsMappingFileId gradle task and associate that to the app. After that uploadCrashlyticsMappingFile gradle task is executed which uploads the mapping file to the firebase for that specific UUID. So ultimately, when a crash occurs in the specific apk, then firebase will check the mapping file belonging to the crashlytics UUID present in the apk, to deobfuscate the crash report.
STEP — 1
You need to set the mappingFileUploadEnabled to true again in your app-level ‘build.gradle’ if you have set this to false before. This will ensure us that a 32 digit UUID is generated every time we generate an apk.
android {
buildTypes {
release {
firebaseCrashlytics {
mappingFileUploadEnabled true
STEP — 2
You need to restrict the execution of the uploadCrashlyticsMappingFileRelease task by adding the following code at the bottom of your project-level build.gradle —
Note — Task name may vary depending upon the build flavour for which you are going to generate the apk. For example — If you are having a build variant ‘uat’, then the name of the task will be uploadCrashlyticsMappingFileUatRelease.
STEP — 3
Generate the apk for the build variant that you want. After successfully creating the apk, a 32 digit UUID and mapping file will be generated that will be used in manual uploading of the mapping file.
STEP — 4
Now you need to replace the code that you have added in your project-level build.gradle from the code as shown below. Also, note that syntax may vary depending upon the gradle version that you are going to use. I have used gradle version 7.2 for this.
- mappingFileId — It’s a 32 digit UUID that will be obtained from the com_crashlytics_build_id.xml file present in the “/app/build/generated/crashlytics/res/{buildVariant}/values” path as you can see in the screenshot below —
- path_to_mapping_file —It is the absolute path of the already generated mapping file which is present in “/app/build/outputs/mapping/{buildVariant}/mapping.txt” path as you can see in the screenshot below —
- path_to_resource_root — For this, you will need to create a file named ‘values.xml’ and put that in the ‘values’ named folder, and use the absolute path of the parent directory of the values folder. For example — If path to the values.xml is “C:\\Users\\HP\\Downloads\\values\\values.xml” then ‘path_to_resource_root’ will be “C:\\Users\\HP\\Downloads”. Content for the values.xml file is shown below —
<?xml version="1.0" encoding="utf-8"?>
<string name="google_app_id" translatable="false"> mobilesdk_app_id </string>
STEP — 5
The last step is to execute the customized task that you have specified in your project-level build.gradle before, using the terminal in android studio as follows —
gradlew uploadCrashlyticsMappingFileRelease
Wait for the task execution to get completed and you are good to go now.