So I watched this video Youtube Tutorial
In this video, it is recommended NOT to include API keys in xcode plist files. So Firebase generates a plist file for us to include in our projects and in that plist file is the API key. Is there a way to do this without using the plist file so that it is more secure?
Your app's public API keys are not (and should not be regarded as) secret(s) as they are needed in order for your app to identify itself to the Firebase backend. Even if you were to store them elsewhere, they could be extracted by other means by a malicious actor. Because the API key is the same for every single instance of the app, it would only take one bad actor to discover and disclose it.
Firebase themselves likely have intelligent abuse detection so you should not need to worry too much about DoS attacks or any other possible attack that involves your API key. However, some "abuses" of your app simply aren't possible to prevent if you have a public-facing app anyway. It depends on what your app does and what you would consider to be "abusive" behaviour.
Trying to obfuscate your API keys will only create more friction for you as a developer and will not win you much in terms of security. You should focus security efforts on other parts of your app.
Important: I'm talking about public API keys, not private keys such as Firebase service credentials. These really are private and you shouldn't ever include them in your app (only store them on your server).
