Following the guide on setting up Google Analytics in an Android app (https://developers.google.com/analytics/devguides/collection/android/v4/) I am left wondering if this google-services.json file can safely be committed into source code versioning and pushed to a public GitHub repository or if this file may contain credentials or secrets.
I cannot find a definite answer elsewhere, but I can see that sample apps both commit the file (https://github.com/google/climb-tracker/blob/master/mobile/google-services.json) and others have added the file to their .gitignore.
It should be considered confidential. The json file that is generated contains an api_key that you can use to send push notifications.
If you go to Credentials page on the Google Developer Console, you'll see the key in the json file listed under API keys
From this post it seems there's no real reason to keep this file safe. It's data will be in the APK anyway.
Yes. At least the api_keystuff should be kept confidential.
One way to put google-services.json into your public repository and still keep it confidential is to use BlackBox.
In your app level build.gradle put a copy task in for example defaultConfig like this:
defaultConfig {
...
...
copy {
from "../secret/"
into "."
include "*.json"
}
}
which will copy the file from your secret/ folder to the right spot.
Now, to build your app you'll have to run blackbox_edit_start google-services.json.gpg the first time you check out your repo, and after that you're good.
来源:https://stackoverflow.com/questions/36964276/is-google-services-json-confidential