如何在反编译apk中获取Google-Service.Json文件? [英] How to get Google-Service.Json file in decompile apk?

问题描述

我想知道在 android apk 上进行逆向工程时是否可以获取 google-service.json 文件.因为在 firebase Google-Service json 文件中包含项目的所有键.

解决方案

JSON 文件未包含在您的 APK 中，发生的情况是您的 google/firebase Gradle 插件读取 JSON 文件并将其插入 string 资源文件.但是通过使用诸如 apktool 之类的工具对 apk 进行逆向工程，任何人都可以访问这些资源文件，包括您在 Java 代码中放入的字符串资源文件和原始字符串.

如果你反编译 APK，你会从字符串资源文件中得到这些 secret 细节.

 <string name="google_api_key">您的密钥</string><string name="firebase_database_url">firebase db url</string>

<块引用>

如果您添加了 firebase ACL，则只有授权用户才能访问数据以及您使用的密钥只能与 apk 一起使用使用您的密钥库签名(确保您生成的 sha1 哈希适用于 Android 应用的 Firebase 控制台)

有关 acl 或保护 Firebase 数据库操作的详细信息，请参阅此处

I want to know that is it possible to get google-service.json file when reverse engineering on android apk. Because in firebase Google-Service json file contain all keys of project.

解决方案

JSON file is not included in your APK, what happens is your google/firebase Gradle plugin reads the JSON file and inserts it in string resource file. But by reverese engineering an apk using tools like apktool, anyone can access these resource files including your string resource file and raw string you put in your java code.

If you decompile the APK, you will get these secret details from string resource files.

  <string name="google_api_key">your key</string>
  <string name="firebase_database_url">firebase db url</string>

if you added firebase ACL, only authorized user can access the data, and also the key you are using can only be used with apk that signed with your keystore ( make sure sha1 hash you generated in firebase console for android app)

EDIT: For details on acl or protecting your firebase database operations see here

这篇关于如何在反编译apk中获取Google-Service.Json文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！