Even though google-services.json and GoogleService-info.plist files do not contain secrets, the higher-ups would like to rotate these files on occasion. If we do that, what happens on devices that do not have the most up-to-date files? Do the Firebase services still work?
2
Answers
In what sense would these files be rotated? Generating or downloading new ones will give you results exactly like your current files unless you have changed some feature setup on the backend.
After explaining to the higher ups that there is no reason to do this (and some small risk if you get it wrong or corrupt the file contents) if they still think it is a good idea it really shouldn’t make any difference to the running product.
They are more configuration information than security barriers.
If you rotate your google-services.json or GoogleService-Info.plist file, it may cause issues with stale installations. Stale installations are devices that have already installed your app and are using an older version of the google-services.json or GoogleService-Info.plist file.
In this case, when the app is opened on a device with a stale installation, the app may not be able to communicate with Firebase services, and may show errors or behave unexpectedly. This is because the stale installation is still using the old configuration settings, and may not be able to access the new ones.
To avoid these issues, it is recommended to handle the rotation of these files carefully. One way to do this is to use a dynamic link to distribute new configurations to users, and prompt them to update their app. Another approach is to use Firebase Remote Config to dynamically update configuration values on the client side. Additionally, it is important to communicate any changes to your users and provide them with instructions on how to update their app.