google-services.json对黑客安全吗? [英] Is google-services.json safe from hackers?

问题描述

如果黑客反编译了我的APK，他是否可以从该文件中看到我的API密钥?我不担心我的源代码存储库.我只是担心黑客能够以某种方式从我的APK中看到此API密钥.我正在尝试对该文件进行加密并在运行时将其解密，但是存在一些问题

If a hacker decompiled my APK would he be able to see my API keys from this file? I am not worried about my source code repository. I am just worried about a hacker being able to see this API key from my APK somehow. I'm trying to encrypt this file and decrypt it at runtime but having some issues

推荐答案

使用Google插件的设置方式，您很难隐藏google-services.json文件的内容.唯一可行的方法是重新实现插件已为您完成的工作，我不建议这样做.不幸的是，当您按照Google的意愿使用该插件时，任何人只要解压缩APK即可轻松获取Firebase/Google API密钥.

The way that the Google plugin is set up, it will be really hard for you to hide the content of the google-services.json file. The only viable way would be to re-implement yourself what the plugin already does for you, which I wouldn't recommend. When using the plugin the way Google intends you to, it will unfortunately be easy for anyone unzipping your APK to get hold of your Firebase/Google API Key.

但是，您可以通过配置谁可以使用该API密钥来防止对该API密钥的滥用.对于Android应用程序，您可以指定您的API密钥只能由已由给定密钥库和给定程序包名称签名的Android应用程序使用.

However, you can prevent any abusive use of that API key by configuring who can use it. For an Android app, you can specify that your API Key can be used only by an Android application that has been signed by a given keystore and using a given package name.

要配置这些限制，请遵循此处的文档: https://cloud. google.com/docs/authentication/api-keys#api_key_restrictions

To configure those restrictions, follow the documentation here: https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions

除了限制API密钥外，如果您使用的是Firebase RTD/Firestore，还应确保在数据存储上配置安全规则.根据您的用例，您可以阻止匿名用户在数据库的各个部分中进行读取或写入.

On top of restricting the API Key, if you're using Firebase RTD/Firestore, you should also make sure that you configure security rules on the data store. Depending on your use-case, you can prevent anonymous user to read or write in sections of your database.

如果您需要更多详细信息，这是我发现的一篇不错的文章，内容涉及如何在Android应用程序中保护API密钥: https://proandroiddev.com/developing-secure-android-apps-8edad978d8ba

If you want more details, here is a good article I found on how to secure your API keys in an Android application: https://proandroiddev.com/developing-secure-android-apps-8edad978d8ba

这篇关于google-services.json对黑客安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！