6

As per the documentation:

Do not include the API key anywhere in your client code.

And it is the case in our current Android app -- the API Key is nowhere included in the code. However, for the new version 3.0.0 of com.google.gms:google-services library, it started throwing error Missing api_key/current_key without it, as discussed here: Missing api_key/current key with Google Services 3.0.0.

Also, Google's config generator https://developers.google.com/mobile/add?platform=android&cntapi=gcm includes the API Key in the google-services.json file.

Is it supposed to be kept secret? Or is it safe to include it in the client app?

Community
  • 1
  • 1
Dzmitry Lazerka
  • 1,809
  • 2
  • 21
  • 37
  • google-services.json file contain setup for GCM. That contain sender id and api_key. You need add it to module to config – mdtuyen Jul 08 '16 at 01:20
  • I think the title should be "Is GCM API key supposed to be keep as secret". – Enzokie Jul 08 '16 at 02:10
  • Interesting.. I missed asking this.. When referring to the docs, yes it is mentioned that the API Key should be kept secret.. But since the `google-services.json` file has it, and it is included in the client app, it kinda counts as being a part of the client code. I think I've also read somewhere before that there is a possibility to retrieve the details of your `google-services.json` file just by having your apk (sorry, can't find that specific post anymore, but I'll look around for it from time to time). – AL. Jul 08 '16 at 07:22
  • 1
    I haven't touched GCM in a couple of years. It used to be that there were two keys: a client key and a sender key. The client key had to be in the app, originally in a `` element in the manifest. I cannot quite imagine how GCM could work if there *wasn't* some client key that was used in the registration process. So, unless Google cooked up some miracle, I would assume that their documentation is in error and the client API key should be in the client app. – CommonsWare Jul 09 '16 at 11:15
  • 1
    @CommonsWare Thanks for your comment. As far as I remember it is the other way round. The `SenderId` used to be in the client app, which was used to generate the device token. And the `API_KEY` was used by server to identify with GCM. Check [GCM API key vs Sender ID](http://stackoverflow.com/questions/14044017/gcm-api-key-vs-sender-id). That is why it was recommended not to include API key in the client app. However the confusion about the contradictory statements and why they need to include the it now? – Shobhit Puri Jul 09 '16 at 15:48
  • 2
    The client key does not need to be secret as you define all the allowed application IDs on the web config console for any given key. So even if someone gets your client key, they need to have your application ID too, which they can't get unless you give them your signing key. So keep your signing key secret and life is all good. – Richard Le Mesurier Jul 09 '16 at 20:29
  • @RichardLeMesurier `applicationId` can be obtained using apktool, dex2jar and other debuggers. That's how lots of people clone other famous apps which don't use obfuscation. Even with some obfuscation, obtaining the applicationId is still possible which for many can be same as package bame. I think Arthur has answered the question well. It makes sense that those 2 API keys are not same. – Shobhit Puri Jul 11 '16 at 19:10
  • @shobit I was referring to release on the official Play Store. You are the only person who can release on that store. In which case the public key doesn't matter. I'm not too concerned about the security of customers who download from other unofficial stores. – Richard Le Mesurier Jul 11 '16 at 21:46

3 Answers3

6

The google-services.json file represents the configuration for all of the services available within Firebase. There are some services that require and "Android" API key. These are the API keys that you will find in the google-services.json file. Your app may or may not use these API keys depending on the Firebase APIs your app is using.

FCM has a "Server" API key that is used to send messages, this API key is NOT the key included in the google-services.json file. The server API key should never be included in your application. The google services plugin however does look for those Android API keys at build time and that could be the reason for your error, it is not because your FCM server API key is missing.

Arthur Thompson
  • 9,087
  • 4
  • 29
  • 33
2

Answering my own question.

If I create a new test project on Firebase (https://console.firebase.google.com), it also includes the API Key into

  • google-services.json for Android app,
  • GoogleService-Info.plist for iOS app,
  • for Web App it even recommends to include the API key into my HTML.

Taken that HTML is definitely public, I'm pretty convinced now that it's not a secret.

Dzmitry Lazerka
  • 1,809
  • 2
  • 21
  • 37
0

If you are using GCM, your Android app need not know about the API key. I just had to include an empty field for api_key in the json file for GCM to work. As mentioned in tha answer here Missing api_key/current key with Google Services 3.0.0 and Maps API key in build.gradle, I just had to add a line like below in google-services.json for GCM to work:

"api_key": [
  {
      "current_key": ""
  }
],

I think you shouldn't include the API key, since I think only your server needs API key to authenticate with Google for requesting it to send push messages to intended recepients. It would be a risk if anyone gets hold of it. So file can look like:

{
  "project_info": {
    ...
  },
  "client": [
    {
      "client_info": {
         ...
      },
      "oauth_client": [
        {
          "client_id": "yourid.whatever.com",
          ...
        }
      ],
      "api_key": [
        {
          "current_key": ""
        }
      ],
      "services": {
       ...
      }
    }
  ],
  "configuration_version": "1"
}

Hope this helps.

Community
  • 1
  • 1
Shobhit Puri
  • 25,769
  • 11
  • 95
  • 124
  • 1
    But if you try to create `google-services.json` using Google's https://developers.google.com/mobile/add?platform=android&cntapi=gcm -- it puts API Key into google-services.json file.Same thing with Firebase: https://console.firebase.google.com/?pli=1 I don't believe they don't know what they're doing. Your solution _might_ work, but since it's not documented anywhere I don't think it would be right to use it -- it may stop working any time. I wanted some more credible answer (e.g. from Google engineers). – Dzmitry Lazerka Jul 08 '16 at 05:33
  • 2
    @DzmitryLazerka You haven't been an Android developer for very long, if you still assume anyone at Google knows what they're doing. – Kevin Krumwiede Jul 08 '16 at 07:20
  • To be frank, when I generated the json file for Firebase, there was no field for api_key field generated. It would be good if we can get an answer from someone from Google. – Shobhit Puri Jul 08 '16 at 14:25
  • Actually when I again download the json configuration file from Firebase like [this](https://support.google.com/firebase/answer/7015592), it doesn't include the `current_key` in my generated json. – Shobhit Puri Jul 08 '16 at 15:34
  • Interesting, I just tried again, and it does include API Key in it. If you click "Add Web App", it even recommends you to put it into HTML, which is definitely public. – Dzmitry Lazerka Jul 09 '16 at 00:14
  • @DzmitryLazerka I used Firebase console to download it. Are you trying to Google cloud console or Firebase? Maybe it depends on the API that one is using? – Shobhit Puri Jul 09 '16 at 00:17