Android In App Billing public key in public repository
I have programmed an open source app in which I added donations via In App Billing. Google says to "hide" the public key (see here).
As the app itself is open source, everyone can compile it and change the key. Currently I created a new project with a static class that returns the key. This class I use to get the key so I don't have the plain public key in my git repo. But is this really necessary?
What is the worst thing that could happen if somebody has my public key?
I thought about this "issue" and try to answer it myself. Hopefully, it is useful for anyone.
Note: If you plan to sell things and activate features with an in app purchase, you should obfuscate your key! My answer is intended for open source apps only!
Since I don't activate additional features with the in app purchase, a hacker would have no use in replacing the key. He cannot obtain any additional features. Even if it would enable something, since the app is open source, everyone can remove the condition which checks for a purchase.
In the other way, if someone would use the key in his app, I'm not sure what would happen if he uploads the app to the dev console. I think in app purchases will fail, because a new public key is generated for each uploaded app.
I'd say you are good to go to include the public key in your public repository. I'll include it too.