Because according to several sources;
How to avoid reverse engineering of an APK file?
it's impossible to prevent an app from being reverse engineered, and Firebase app tokens are stored in the APK source, how won't attackers get these credentials and destroy a Firebase database?
My concern is that there's no controller available to the developer between the native App and Firebase database (Unless one routes requests from e.g Android App to their own server then to Firebase, which would slow down requests, I think). So anyone who can gain access to tokens should essentially be able to do whatever they want with the database.
I'm coming from PHP and MySQL where I'd control all coming requests from clients with PHP, then access the database from PHP with database user information that is stored on the server, not clients.
WHAT I KNEW : Since the web service and the db are both hosted on the server and only the web service needs direct access to the db, there is no need to store db access info in the app. So attackers don't have DB access information available on the App.
I'm probably missing something important here. Would love to understand more.
You should not distribute the secret at all in the apps. It should not be needed there.
However, you should setup the Firebase Security rules so that any client is only allowed to do the "safe" stuff.