Interesting concept. I’ve been thinking about how to secure important Strings such as the ones generated from the google-services.json file with your strategy above.

Once you have the String resources would you recommend storing them on Firebase Remote Config? Then, the resources are not stored directly on the device if a malicious user wants to decompile the app and find the strings. Rather, the strings are passed via an encrypted HTTPs response.

I’ve outlined this potential security measure in a StackOverflow answer.