Elye, thanks for bringing attention to this security risk. The simplest architecture pattern is to have separate Firebase projects for staging/qa and production/release environments.

The Android client can initialize the corresponding Firebase authentication based on the Build environments in Gradle. Then, testing new changes to the server, database, remote config, and etc can be fully rolled out on the testing Firebase project first.