本文是小编为大家收集整理的关于Firebase API密钥限制与安卓应用包名和SHA1指纹不起作用的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。
问题描述
我们正在使用Google firebase获取应用程序的crashlytics数据,并且通过google-services.json文件公开的API键是作为安全问题而提出的,因为可以对应用程序APK文件进行反向工程以获取此文件和此文件.然后,攻击者可以将其用于将数据发送到我们的Firebase帐户.
为了避免这种情况,我们试图遵循此文档限制API密钥的用法,以便我们的应用只能使用它.这是通过使用包装名称和我们应用程序密钥库的SHA1指纹限制来实现的.
但是,当我们测试它时,它没有正常工作.我们仍然能够通过具有相同软件包名称的伪造应用程序发送崩溃数据,相同的google-services.json文件但另一个密钥库文件.
基于此问题,这种方法应该起作用, .如果有经验的人可以与我们分享,请非常感谢.
推荐答案
问题描述
We are using Google Firebase to get CrashLytics data for our app, and the API key that is exposed through the google-services.json file was brought up as a security concern as the app apk file can be reverse engineered to get this file and then it can be used by an attacker to send data to our Firebase account.
To avoid this, we tried to follow this documentation to restrict the API key usage such that it can only be used by our app. This is achieved by restricting it with the package name and the SHA1 fingerprint of the keystore of our app.
However when we tested it out, it didn't work as expected. We were still able to send crash data via a fake app that has the same package name, same google-services.json file but a different keystore file.
Based on the accepted answer of this question, this approach should work. Appreciate it a lot if anyone with experience on this can share with us.
推荐答案
You have to go to https://console.developers.google.com/apis, and in your project credentials you'll see that your APIs are unrestricted. Follow the on-screen instructions on each API to restrict them.
更多相关问答
联系站长