如何使用 Firebase 托管安全地存储和检索 Android 应用程序(用原生 Java 编写)的 API 密钥? [英] How can I securely store and retrieve API Keys for an android application (written in native Java) using Firebase Hosting?
问题描述
我刚刚开始学习编码.提供示例代码会很棒.
I'm just starting to learn to code. Providing example code would be fantastic.
我使用 Firebase 开发了一个简单的 android 应用程序(原生 Java).我有几个 API 密钥硬编码到我的应用程序的资源中.我读到最好将这些密钥存储在服务器上.我目前没有自己的域或服务器,但我有兴趣使用 Firebase 托管来存储这些 API 密钥.
I developed a simple android application (native Java) using Firebase. I have several API keys hard-coded into the resources of my application. I read that it is better to store these keys on a server. I currently do not have my own domain or server, but I am interested in using Firebase Hosting to store these API keys.
如果您能帮助我建立通过 Firebase 托管存储和检索这些 API 密钥的基础,我将不胜感激.如果其他建议简单且安全,我愿意接受.
I would appreciate some help setting up the foundation for storing and retrieving these API keys through Firebase Hosting. I am open to other suggestions if they are simple and secure.
谢谢!
推荐答案
您的(移动或网络)客户端不应包含 Firebase 的 Secret.在某些时候,有人会对您的代码进行逆向工程,提取秘密,并且能够读取/写入 Firebase 数据库中的所有数据.在那个阶段,您唯一能做的就是撤销 Secret,这将使所有客户端都失败.
Your (mobile or web) clients should never include the Secret for your Firebase. At some point somebody will reverse-engineer your code, extracts the Secret and with those be able to read/write all data in your Firebase database. The only thing you'll be able to do at that stage is revoke the Secret, which will make all clients fail.
Firebase 托管仅允许您存储静态资源.因此,虽然您可以将 API 密钥存储在 Firebase 的托管服务器上,但这对安全性没有多大帮助.它仍然可供所有人阅读.
Firebase hosting allows you to store static resources only. So while you can store your API keys on Firebase's hosting servers, it wouldn't help much for security. It will still be readable by everyone.
您应该做的是在您的客户端中使用常规 Firebase 身份验证.Firebase 的 Android 用户身份验证指南 中对此进行了介绍.Android 版 Firebase 登录演示中提供了一个很好的示例.
What you should instead be doing is using regular Firebase authentication in your clients. This is covered in Firebase's guide for user authentication on Android. A good example of this can be found in the Firebase Login Demo for Android.
这篇关于如何使用 Firebase 托管安全地存储和检索 Android 应用程序(用原生 Java 编写)的 API 密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
