Is google-services.json safe from hackers?

Question

If a hacker decompiled my APK would he be able to see my API keys from this file? I am not worried about my source code repository. I am just worried about a hacker being ab

Answer 1

It's clearly not safe but you have no choice so it's important to limit your license keys.

Unzip your apk (either rename it to .zip and open, or from bash unzip [your apk path])

Now - le coup the grace: Find a file (in the root of the zip) named resources.arsc and open it with any editor that agrees to open it. Even TextEdit or Atom are enough. Search for AIza and here it is. With your user ID's.

... or the less Hacker-style method: Just drag and drop your APK to Android Studio. You can see everything inside: In resources.arsc you will find all the keys and values, all your strings, all your integers... all in easy beautiful GUI.

The bigger question: is there a way to tell ProGuard to obfuscate it efficiently. Or is there a way to encrypt it with a secret key shared with a server.