Addressing Security Concerns with Firebase Crashlytics 'firebase_url' Exposing Permissive Cross-Domain XML

[Bharathi Selvan]

I'm currently implementing Firebase Crashlytics in my mobile applications. The google-services.json file generated from the Firebase console includes a property called "firebase_url" under "project_info". This URL exposes a permissive cross-domain XML.

Could someone please provide insights on how we can address this issue? During PEN testing of my application, this was flagged as a concern. I would appreciate any suggestions or solutions you may have to address this issue.

Thank you.

[Joe Spiro]

Hello,

As detailed in Understand Firebase projects, the contents of google-services.json should be considered public but should be obscured where possible (such as not including them in version control) and data accessible from the contained information should be protected (where applicable) by Firebase Security Rules.

In Full:

"The content of the Firebase config file or object is considered public, including the app's platform-specific ID (Apple bundle ID or Android package name) and the Firebase project-specific values, like the API Key, project ID, Realtime Database URL, and Cloud Storage bucket name. Given this, use Firebase Security Rules to protect your data and files in Realtime Database, Cloud Firestore, and Cloud Storage.

For open source projects, we generally do not recommend including the app's Firebase config file or object in source control because, in most cases, your users should create their own Firebase projects and point their apps to their own Firebase resources (via their own Firebase config file or object)."