Hello, thank you very much for the response. I took the system off of Stack Overflow as I felt it did a pretty good job with Firebase encryption. Indeed, I will be hiding the encryption keys outside my app (ie. through keychain.) I read the article you gave and indeed having "hardcoded and unencrypted cloud service credentials" is wrong but does this apply to the encryption system itself (or simply the key)? "Don’t ever try to invent your own encryption scheme" - can you point me to a good one?