@eugenetereshkov, does using Firebase remote config add an additional layer of security since the keys are passed via a network request?

My theory why Firebase Remote Config may be a good security option is because it is harder to sniff the Https requests from the app then decompiling the APK and reading the strings from the generated file. For instance, when I debug an app with Charles Proxy you can’t view the endpoint details unless the app is compiled in Debug mode due to newer Android security measures.

Here is a current StackOverflow on this topic where a Firebase team member shared his thoughts.