API-KEY in GoogleService-Info.plist
8,134 views
Skip to first unread message
Pentester
Mar 19, 2020, 12:19:00 AM3/19/20
to Firebase Google Group
Hi Guys,
Me and my team was performing secure code review for an IOS project, we found a hard-coded API-KEY in GoogleService-Info.plist file, and we reported it.
Client responded back by saying that the information in GoogleService-Info.plist file is non sensitive including the API-KEY.
Please help me in understanding the significance of API-KEY, is it safe to be hardcoded in GoogleService-Info.plist. Is their a secure way to store the API-KEY
Please help
Regards,
Pentester
shawn revels
Mar 19, 2020, 8:31:53 AM3/19/20
to fireba...@googlegroups.com
Check out this article.
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c441f1f7-d74d-4879-b0a9-b8537c3a5c86%40googlegroups.com.
Sam Stern
Mar 19, 2020, 8:38:21 AM3/19/20
to Firebase Google Group
Hi there,
None of the values in the GoogleService-Info.plist or google-services.json file are secrets, they are all identifiers that can be included in your app without concern. Some teams choose to keep them in version control while others store them elsewhere, that's a personal choice and the end result is the same. The most important thing for the security of your Firebase App is to make sure that you have the proper Security Rules enabled on your data (if you're using Firestore, Storage, or Realtime Database).
The Google Maps team has some good advice on adding restrictions to API keys if you're interested:
https://developers.google.com/maps/api-key-best-practices#restrict_apikey
https://developers.google.com/maps/api-key-best-practices#restrict_apikey
- Sam
Reply all
Reply to author
Forward
0 new messages