I have an open source app that Ive recently added in-app billing to. Is it safe to keep it open source, since the code now has the RSA key in it?
The key Im referring to is the Base64-encoded RSA public key provided by the Google Play Developer Console.
How the name says it's a public key. This means it can be shared publicly with others. Even if you don't want to share it, any developer with enough skills can very likely extract it from your application, if it's there. So that's not a big issues, if you revealed it.
What you really have to keep secret is the way you store and access your public key inside your app. It is important because your app uses your public key for validating payment server response. Response considered to be valid if it was signed by your private key. Thus, having a public key you can always say whether a server has used your private key (which is known only by you) to sign the content or not. What a hacker can do is, he/she can replace your public key inside your app with their public key and then send hacked response signed with their private key. Your logic will successfully validate such responses and your app will behave as a paid app. So be aware and kept the way you store your public key private.
Regarding your case, I would suggest to remove in-app payment related code from your open-source project completely. This will increase security and make hackers life more difficult. You don't need to worry that you revealed your public key, but you may better remove it too, together with the implementation mentioned above.
