如何使用Firebase托管安全地存储和检索android应用程序(使用本地Java编写)的API密钥? [英] How can I securely store and retrieve API Keys for an android application (written in native Java) using Firebase Hosting?
问题描述
我使用Firebase开发了一个简单的android应用程序(本地Java)。我有几个API密钥硬编码到我的应用程序的资源。我读过最好将这些密钥存储在服务器上。我目前没有自己的域名或服务器,但我有兴趣使用Firebase托管来存储这些API密钥。
我希望能为建立基础提供一些帮助通过Firebase托管存储和检索这些API密钥。如果他们是简单和安全的,我打开其他建议。
谢谢!
Firebase主机只允许你存储静态资源。所以,虽然您可以将您的API密钥存储在Firebase的托管服务器上,但对安全性无帮助。它仍然是每个人都可以阅读。
您应该做的是在客户端使用常规的Firebase身份验证。这包括在 Android版用户认证的Firebase指南中。一个很好的例子可以在 Android的Firebase登录演示中找到。
I'm just starting to learn to code. Providing example code would be fantastic.
I developed a simple android application (native Java) using Firebase. I have several API keys hard-coded into the resources of my application. I read that it is better to store these keys on a server. I currently do not have my own domain or server, but I am interested in using Firebase Hosting to store these API keys.
I would appreciate some help setting up the foundation for storing and retrieving these API keys through Firebase Hosting. I am open to other suggestions if they are simple and secure.
Thanks!
Your (mobile or web) clients should never include the Secret for your Firebase. At some point somebody will reverse-engineer your code, extracts the Secret and with those be able to read/write all data in your Firebase database. The only thing you'll be able to do at that stage is revoke the Secret, which will make all clients fail.
Firebase hosting allows you to store static resources only. So while you can store your API keys on Firebase's hosting servers, it wouldn't help much for security. It will still be readable by everyone.
What you should instead be doing is using regular Firebase authentication in your clients. This is covered in Firebase's guide for user authentication on Android. A good example of this can be found in the Firebase Login Demo for Android.
这篇关于如何使用Firebase托管安全地存储和检索android应用程序(使用本地Java编写)的API密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
