Where to safely store Google service account key (GCP) in a published Android APK?

Question

I am using the Google service account key (JSON) in Android studio to integrate Android and Google Dialogflow. This requires the key file to be saved in the APK.

I plan to upload the app in the Play Store. Is there any problem if the service account key included? And how should I safely keep the key?

Answer 1

The short answer is that yes, this is a problem. The APK can be decompiled and your key exposed. There is no way to safely keep this key.

However... there aren't many good alternatives.

You can make sure the service account you generate has the minimal set of permissions. This will limit what someone who uses the key can do with it. So if you permit the key to just the "Dialogflow API Client" all they can do is call detectIntent and do other things with the session and conversation. But this can still cause you problems with a malicious actor running up expenses or making API calls out of your control.

You may wish to create a thin API layer that runs as a service (possibly using Cloud Functions or something similar). This API layer would have the key, so it does not get exposed to your client, but this still might leave the API open and subject to similar risks and abuses as above. You can add protections (such as requiring login), but this starts getting complicated quickly.