Firebase API密钥限制与安卓应用包名和SHA1指纹不起作用[英] Firebase API key restriction not working with Android app package name and SHA1 fingerprint

本文是小编为大家收集整理的关于Firebase API密钥限制与安卓应用包名和SHA1指纹不起作用的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。


我们正在使用Google firebase获取应用程序的crashlytics数据,并且通过google-services.json文件公开的API键是作为安全问题而提出的,因为可以对应用程序APK文件进行反向工程以获取此文件和此文件.然后,攻击者可以将其用于将数据发送到我们的Firebase帐户.



基于此问题,这种方法应该起作用, .如果有经验的人可以与我们分享,请非常感谢.


您必须转到 ,在您的项目凭据中,您会发现您的API不受限制.按照每个API上的屏幕上说明进行限制.



We are using Google Firebase to get CrashLytics data for our app, and the API key that is exposed through the google-services.json file was brought up as a security concern as the app apk file can be reverse engineered to get this file and then it can be used by an attacker to send data to our Firebase account.

To avoid this, we tried to follow this documentation to restrict the API key usage such that it can only be used by our app. This is achieved by restricting it with the package name and the SHA1 fingerprint of the keystore of our app.

However when we tested it out, it didn't work as expected. We were still able to send crash data via a fake app that has the same package name, same google-services.json file but a different keystore file.

Based on the accepted answer of this question, this approach should work. Appreciate it a lot if anyone with experience on this can share with us.


You have to go to, and in your project credentials you'll see that your APIs are unrestricted. Follow the on-screen instructions on each API to restrict them.