Firebase App Secrets ̶ Runtime Secrets for Mobile & Web
1) Problem
Developers routinely ship API keys and tokens in apps. Obfuscation isn’t protection; true secrets must be
short-lived, scoped, and revocable. Today, Firebase offers Cloud Secret Manager (great for servers) and App
Check/Play Integrity (great for attestation), but there’s no first-class, managed way to deliver ephemeral,
policy-controlled secrets to client apps.
2) One-liner
“Deliver short-lived, policy-scoped secrets to verified client apps with automatic rotation, attestation, and
device-secure storage̶built into Firebase.”
3) Core concepts
- Vault: Secrets stored in Google Cloud Secret Manager with optional CMEK. - Policies: TTL, scope, rollout,
rotation. - Attestation gateways via App Check. - Delivery via Firebase Secrets Service. - On-device storage
in hardware-backed keystores. - Auditability with logs and alerts.
4) What it’s good for (and not)
Great for: publishable keys, per-session credentials, confidential feature flags, signed URLs. Not for:
long-term server-side secrets like DB passwords.
5) Developer workflow
Console/CLI creation, scope definition, rotation, logs. Example CLI: firebase secrets set
STRIPE_PUB_KEY --type=client --ttl=10m --scope app:ios:...,app:android:... --min-app-version 312
6) SDK shape (proposed)
Examples in Flutter, Android, iOS, Web SDKs to fetch and manage secrets securely.
7) End-to-end flow
1. App requests secret. 2. SDK performs attestation. 3. Secrets Service authorizes, retrieves, encrypts, returns.
4. SDK unwraps, validates, stores. 5. Auto-refresh at half TTL.
8) Security model & trade-offs
Mitigates casual static extraction, stale tokens, leakage. Residual risks: rooted/jailbroken devices. Hardening:
per-user binding, strict versioning, geo restrictions.
9) Integrations
Remote Config, Cloud Functions/Run, Crashlytics, Cloud Logging & Alerts.
10) Pricing idea
Free tier with daily limits. Paid per 10k secret fetches + GSM storage. CMEK surcharge.
11) Example use cases
Stripe publishable key rotation, pre-signed upload URLs, third-party SDK tokens with scope control.
12) MVP scope
SDKs for Android, iOS, Flutter, Web. Policies: TTL, version/platform scope, rollout, geo. Mandatory App
Check. Console + logs.
13) Guardrails
Don’t put long-term secrets in clients. Expect device compromise. Never log secret values.