125

I work on adding Google Analytics and GCM services to my current app. On the guide for both services implementation, google asks developer to generate a json file: google-services.json and put it under root directory of the app.

I found that even if I delete this json file from my app, the services still works.

Just want to know for sure, what is this file really for? What its usage and how does it work?

Janusz
  • 176,216
  • 111
  • 293
  • 365
Arthur Wang
  • 2,955
  • 4
  • 19
  • 25

3 Answers3

201

I investigated a bit regarding the google-services plugin and json and found the sources to this plugin.

First things first

The gradle-plugin google-services that is referenced by classpath and with apply is a build-time plugin only! So it only influences the build-process of your app, but not the runtime-process!

This plugin is only meant as a quickstart-helper to integrating Google-services quickly in your app. Obviously, the process is somewhat convoluted and not documented, so Google should have made it clear what this process does.

In fact, I found the source code for the plugin version com.google.gms:google-services:1.4.0-beta3 and didnt find any specific reference in it regarding appinvites nor did I find any Google API for App Invites! (But maybe it just uses a generic API project with its project id, I didnt try this)

What it does

The google-services gradle-plugin looks for the mentioned google-services.json file in your app-module. Then it looks for configured settings like project-id's and tracking-id's and such, generated by the Google API developer console into the google-services.json file. From the settings it found, Android resource values are generated into the following path:

$project.buildDir/generated/res/google-services/$variant.dirName/values/values.xml

For example for a debug-build of your app:

app/build/generated/res/google-services/debug/values/values.xml

E.g. if you followed the GCM tutorial, the JSON file would include the API project's id as the following android-resource:

<string name="gcm_defaultSenderId">project-id</string>

So this plugin and JSON file are not essential to running or publishing your app, it is just a quickstart helper to generate some basic android-resource files for easier integration of specific Google API features.

Notice in the source code referenced below that the google-services plugin always generates those android-resources for every app-variant that is defined in your app/build.gradle.

If you don't want that, you should use those generated resources in the app-variants you want, and delete the others. Don't forget to remove the google-services plugin apply from app/build.gradle, or else it will be regenerated for all app-variants.

What it does not

This plugin and JSON-file do NOT directly influence the inner workings of said Google-features for your app! If you already have followed older tutorials on developer.android.com on how to integrate e.g. GCM or Google Analytics, then you don't even need to integrate either the gradle-plugin google-services or the google-services.json file!

Notice about where I found the sources

After you integrated the google-services gradle-plugin and when sync your project, Gradle automatically downloads the google-services dependency to a path similar to this (on Windows, you might need to look into your home/.gradle for Linux):

C:\Users\user\.gradle\caches\modules-2\files-2.1\com.google.gms\google-services\1.4.0-beta3\f1580f62e3be313eba041ce19b64fd3f44cf8951\google-services-1.4.0-beta3-sources.jar

If you extract this jar-file, you will find two files:

GoogleServicesPlugin.groovy
GoogleServicesTask.java

which contain the plain source code of the gradle-plugin.

GoogleServicesPlugin.groovy

contains the handling of the app-variants and basic definitions of paths etc.

GoogleServicesTask.java

contains the actual task-definition, look for the following method to see what it really does:

@TaskAction
public void action() throws IOException {
Sufian
  • 5,997
  • 14
  • 60
  • 111
arne.jans
  • 3,556
  • 2
  • 19
  • 26
  • 2
    much better answer. yet there seems to be issues when trying to follow the recommended approach (https://developers.google.com/analytics/devguides/collection/android/v4/) "accepted answer" is a ridiculous SO concept that totally depends on the patience of the person that can decide on it... – axd Feb 23 '16 at 17:20
  • 7
    A follow-up note on this, as it may have changed since you posted this. The [Google Services Gradle Plugin](https://developers.google.com/android/guides/google-services-plugin#introduction) guide states a 2nd function of the plugin. It also claims to add some dependencies for "basic libraries required for the services you have enabled", as well as checks for dependency collisions (from version mixing). I dug into the sources, and it also appears to inject "compile com.google.android.gms:play-services-measurement". Just an FYI in case anyone sees that pop up and are not sure why. – Android3000 Apr 05 '16 at 20:52
  • 3
    Considering that the file contains a couple of keys, is it safe to add it to version control? As far as I can tell it's only fingerprints, so I reckon it's safe. But I'm not completely certain. – exhuma May 04 '16 at 10:34
  • 1
    @exhuma in my personal opinion, if you are working on a private or company-internal project, it would be ok to check it into version control. On the other hand, I would never check the json-file into version control for open source projects, obviously. – arne.jans May 06 '16 at 12:26
  • 1
    @arne.jans Are you able to set the senderId dynamically, or you just hardcoded it in values.xml? I need to fetch senderId dynamically from server, and than registering to FCM. – Bresiu Jun 10 '16 at 09:49
  • I would add a bounty for the source of the plugin itself. – Weishi Z Aug 09 '16 at 07:11
38

What is this file really for:

google-services.json contains developer credentials and configuration settings, which is needed to verify while connecting with GoogleApiClient. Though your service is working fine with your test device as it is detecting your developer account but after releasing your app in public, it will not work without the json file. So don't delete it.

The Official Documentation says:

The application builds a GoogleApiClient, specifying which scopes and APIs the application will access. When the GoogleApiClient connects, the user is signed in.

See the how it works section.

Brad Larson
  • 168,330
  • 45
  • 388
  • 563
Mohammad Arman
  • 6,730
  • 2
  • 34
  • 48
  • 3
    Thank you for your answer. Just has questions though wonder if you are willing to help. I saw your link is post to Sign In services. But if I only using Google Analytics and GCM service in my app, not need to sign in, do I still need to keep this file? Thanks! – Arthur Wang Jul 23 '15 at 21:47
  • 3
    Yes, for analytics or GCM you also need this configuration file. In the step 2 of the documentation, you had to go to **GET A CONFIGURATION FILE** link. There you have to select if you are using this conf file for GCM or analytics. This file just contains your developer Identity (like api key, SHA1 hash of your development pc etc.) – Mohammad Arman Jul 23 '15 at 21:52
  • @MohammadArman I using google-services.json that I generated with debug fingerprint and it is working fine even in release mode also. Should I generate a new google-services.json file with release SHA1 fingerprint? The app is being used by many beta testers(none of them have developer accounts) and it seems to be working fine even without release config file. – androidGuy Aug 27 '15 at 09:33
  • @androidGuy No. you don't need to recreate google-service.json. Just keep it as it is. – Mohammad Arman Aug 27 '15 at 09:42
  • @MohammadArman Thanks for the quick response. It is a bit confusing because in google-service.json file, the client_id is that of Android project that I created with debug SHA1 fingerprint. I created a new Android project in Google dev console with release SHA1 fingerprint for release mode. So how does it actually work in release mode with a google-service.json file that I created with debug fingerprint.? Thanks in advance – androidGuy Aug 27 '15 at 09:48
  • 2
    @androidGuy Sorry for late response. I think you have to create the new configuration google-services.json file with the latest release SHA1 keyhash. Other wise some features may not work after publishing on play store. Sorry for the previous confusion, I will delete my previous comment as it will let someone to the wrong direction. – Mohammad Arman Aug 29 '15 at 09:15
  • @MohammadArman How to actually create the new configuration google-services.json file with the latest release SHA1 keyhash? I had a json file with my debug SHA1 fingerprint, and the configuration file generation link doesn't allow me to change the SHA1 fingureprint, nor to remove and regenerate it. – cnbuff410 Sep 20 '15 at 05:21
  • @cnbuff410, Have you tried this link? https://developers.google.com/identity/sign-in/android/start In step 2 you should be able to generate config file. NOTE: You have to Edit the existing Sample App name and package name by clicking on the text. – Mohammad Arman Sep 20 '15 at 05:58
  • @MohammadArman ya I did, in the step 2, it shows the SHA1 fingerprint I have inputed before, but there is no way for me to change it, nor is there a way for me to cancel the signin service. I have a configuration file generated by the link already, I just could not change the information inside for any of the already configured service. – cnbuff410 Sep 21 '15 at 22:06
  • Is there a way to programmatically check that the google-services.json has been processed? I have a complex buildscript where some flavors include the json file and other don't (intentionally). I would like to then programmatically determine whether to enable relevant features on the basis of whether the json file existed (i.e. was processed) – Mark Sep 26 '15 at 06:55
  • 1
    If you copy the words of another person, you *must* properly blockquote them and provide full attribution. I've rolled back your edit, as I consider it to be plagiarism of the answer below this one. – Brad Larson Dec 21 '15 at 20:11
  • 6
    What about security? Can google-services.json be recreated and read from the apk? I see a developer and API key inside. I dont like it to be known by others... – Tino May 14 '16 at 20:32
  • @cnbuff410 about how to chenge SHA1, try chenge it in google dev console `credentials -> click project name -> change old SHA to new one`. And then try generate json file – Aleksey Timoshchenko Aug 07 '16 at 11:22
  • 1
    @Tino Everything you package into the apk can be "recreated", you can rename things to make them less obvious, but anyone who knows what they're looking for will still find it. As long as the API key needs to be transmitted to the server at runtime, a "malicious" user will be able to find it. Supposedly the Play Services library will check that the app is signed with your certificate before allowing the key though, and you're hopefully not packaging those certificates with keys into the APK. – Thorbear Oct 27 '16 at 10:53
  • surely not @Thorbear. that would be a bad idea. – Tino Oct 31 '16 at 11:09
4

Add google-services.json to your module and do a CLEAN and A REBUILD. A xml file will be generated in app/build/generated/res/google-services/debug/values/values.xml with your project properties and you can easilly access then like normal xml string. Example:

String serverClientId = getString(R.string.default_web_client_id);

there is a list with all strings and more info in google-service.json doc

Beto Caldas
  • 1,962
  • 2
  • 20
  • 23