0

The google-services.json file is required for connecting android app with the firebase account (similarly info.plist file in ios). This file is required for a developer in the company for day to day development activities. This file is also required for the application to function when it is installed on a test device.

How do we make sure a developer who leaves the company (who has had access to the file) will not be able to access the firebase services using the file , other than through an installed application ? Through an installed application, the actions the app can do is predefined and hence safe and controlled in nature. In case someone can access the services through a development environment with the file, the user could do anything they want. How do we prevent this from happening ?

vzurd
  • 1,416
  • 2
  • 15
  • 37
  • The information in google-services.json is public information. If you don't want someone to access data, you should use Firebase Auth along with security rules to determine who should be able to read and write data. – Doug Stevenson Jan 18 '21 at 08:01
  • @Doug Security rules are for authenticated users in general. It doesn't distinguish between a developer who has access to the source code and a user logging in from an installed app. Correct ? – vzurd Jan 19 '21 at 08:33
  • Yes. it has no way of knowing how the user is accessing the data. – Doug Stevenson Jan 19 '21 at 16:40

0 Answers0