Protect Firebase credential file Golang exe

Question

I'm building an application to run on computers (any architecture) using Golang. For my Golang exe to access my Firebase database I have to add this json credential file as seen in the image. If someone reverse engineers my Golang exe then it will be very easy to get hold of these keys and make fraudulent operations on my database. What is the best practice/method to prevent anyone from getting a hold of this json? Will it always be very easy to extract these keys? I'm not completely sure but I think it would be way safer to put this json on a server and then make the users golang apps post to my API after they auth, but the main purpose of firebase in my app is Snapshot Listeners which are meant to be real time.

Additionally if anyone has any specific knowledge on this what is the best way for iOS Swift apps too. I will be releasing an iOS app on the App Store that will have this same file but encoded inside a info.plist file.

Answer 1

The Go SDK for accessing Firestore provides fill access to the database (and typically more of the project) and is meant for use in trusted environments only, such as your development machine, a server that you control, or something like Cloud Functions/Cloud Run. As Doug commented, on such environments, you'd typically put the credentials on the environment directly (as documented here) - and not distribute them with the executable.

If you want to run this application in untrusted environments too, you should not use the Go SDK that Google provides nor any of its other so-called server-side or Admin SDKs. You'll want to either access Firestore through its REST API, or look for a 3rd party library that doesn't require administrative credentials.