Can I access the Firebase database using the REST API if I reverse engineered an apk?

Question

SO I recently discovered an old discontinued application of mine and I reverse engineered the apk since I lost the code.

Progaurd wasn't enabled, and I was able to successfully reverse engineer it.

This is a Firebase application, and in the strings.xml I was able to find:

firebase_database_url, gcm_defaultSenderId, default_web_client_id, google_api_key, google_app_id.

I'm trying to read from the database.

So, using my browser, I type in my URL [URL].firebaseio.com/.json, but I need a parameter, auth, which I would think is google_api_key, which I can get from strings.xml.

But, it doesn't work, and gives me "error": "Could not parse auth token."

So I think I need a different key, but what is it? Is it possible to find it using the decompiled app? All the variables are the same name as they were.

Note that this was probably created before the May Firebase update, so it's probably still using firebase.com, because there's no google-services.json anymore.

Answer 1

Unless the creator of the APK put a private token or password in the app (which they would not, unless they are intentionally doing something very insecure), then you would not be able to access the parts of the database that require authentication.

The google API key you are referring to is not private, and it does not grant anyone the ability to anything special with a project. It's merely an identifier for a project.