0

I ran a security test via the ImmuniWeb tool on my Android app APK. One of the observations the tool made was that one of the app contains hard-coded sensitive data. It further said:

An attacker with access to the mobile application file can easily extract this data from the application and use it in any further attacks.

There is 'google_api_key', 'google_crash_reporting_api_key', and 'google_storage_bucket' found in file 'android/res/values/strings.xml'

The issue is that this strings.xml file is auto-generated and cannot be edited:

enter image description here

How do I clear this issue?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
mumayank
  • 1,670
  • 2
  • 21
  • 34

1 Answers1

8

The data you're referring to is not "private" or "sensitive". This is a standard configuration for Firebase products that get injected into your app as part of a standard app build using the Google Play services plugin. All of those values are just identifiers for Firebase and Google services that need to be known by the client in order to address those services. Without them, your app wouldn't know where to go for information.

If you're using Realtime Database, Firestore, or Cloud Storage in your app, you should be using security rules for each for those products in order to limit who can read and write which locations in those products. That's how you implement security in apps that use Firebase. Trying to hide or obfuscate the configuration isn't going to foil a determined attacker.

I don't know anything about this tool you're using for this security scan, but it doesn't seem to be aware of these facts.

mumayank
  • 1,670
  • 2
  • 21
  • 34
Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Allow me some time to discuss this with my teammates, and then I will mark your answer as accepted. Thank you for the response – mumayank Jan 07 '20 at 06:16
  • Also see my answer here: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public – Frank van Puffelen Jan 07 '20 at 15:02