Are API keys "autogenerated by Firebase" in GCP secure?

Question

After creating project in Firebase multiple Google Cloud Platform API keys were auto-generated:

• Server key (auto created by Firebase)
• Android key (auto created by Firebase)
• Browser key (auto created by Firebase)

All keys are marked with "!" sign which says:

This API key is unrestricted. To prevent unauthorised use and quota theft, restrict your key to limit how it can be used.

My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner. "Android key" is embedded inside application so it can be retrieved very easily from apk.

Is any additional configuration necessary?

What permissions exactly is the key granted?

Answer 1

What is your definition of secure? Does the key allow access to privileged or valuable data? Anyone that has the API key can do anything the key allows. The issue is not if the key is secure, the issue is how the key is managed, used and protected. Do you trust the people/software/services that have the key? If no, then the key is not secure.

My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner.

That is an incorrect assumption. Google/Firebase does not configure your keys to be secure. That is up to your implementation to provide for and protect keys.

In summary, the answer to your question is that an API Key is not secure unless the environment that the key is used within is also secure.

Answer 2

Although API keys for Firebase services are safe to include in code, there are a few specific cases when you should enforce limits for your API key.

From the documentation:

The API keys auto-created by Firebase, by default, have no restrictions. However, there are a few specific cases when you should enforce limits for your API key.

For more details check the documentation.