java.lang.RuntimeException:Unable to get provider com.rachittechnology.TheCriminalLawAct2013.NXcX7M: java.lang.NullPointerException: key can't be null

We published a new version of app v1.67 on google play store and its approved and live. There are no errors on play store console for the latest release.

However after we published new version, we started seeing multiple errors on firebase crashlytics console ( also receiving emails on the same ) for v1.66.

Our package name is com.rachittechnology.TheCriminalLawAct2013, however we see random names attached like below in error console. There are 1000s of such error. Also it lists random library on top of crashlytics report like in below case "com.musicplayer.music". This is not associated with our app.

We have implemented SHA certificate on firebase console as well as within GCP API for the app. Not sure why this errors are coming up only in crashlytics ( not on google play store console ) and how to stop them.

Looking for

1. How to fix it in crashlytics ( SHA is already included as signature )
2. Figure out root cause of this issue

      Fatal Exception: java.lang.RuntimeException: Unable to get provider com.rachittechnology.TheCriminalLawAct2013.NXcX7M: java.lang.NullPointerException: key can't be null
   at android.app.ActivityThread.installProvider(ActivityThread.java:8489)
   at android.app.ActivityThread.installContentProviders(ActivityThread.java:7989)
   at android.app.ActivityThread.handleBindApplication(ActivityThread.java:7675)
   at android.app.ActivityThread.-$$Nest$mhandleBindApplication()
   at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2478)
   at android.os.Handler.dispatchMessage(Handler.java:106)
   at android.os.Looper.loopOnce(Looper.java:230)
   at android.os.Looper.loop(Looper.java:319)
   at android.app.ActivityThread.main(ActivityThread.java:8919)
   at java.lang.reflect.Method.invoke(Method.java)
   at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:578)
   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1103)

Based on feedback from firebase support channel.

Below is solution.

When having crash reports coming from unknown package names, sometimes they could be coming from reversed engineered apps. When this happens, the package name could be changed causing this scenario.

Crashlytics does not rely on API Keys.

To fix this there are two things we can do:

1. Disable Crashlytics in the app and enable it only if the package name matches the package name in the configuration file. E.g.:

if (getApplicationContext().getPackageName().equals(BuildConfig.APPLICATION_ID)) { FirebaseCrashlytics.getInstance().setCrashlyticsCollectionEnabled(true) }

2. Request Firebase to include unknown package name to denylist.