安全的API密钥的Android [英] Secure API Key Android
问题描述
我目前正在研究其使用的Blogger API从谷歌的一个项目。前日(周六)有人攻击我的应用程序并获取API密钥,我的涨停访问岗位10万(10万/ 24小时)。我触及跌停上周六(我怀疑那些人使用我的API密钥制作欺诈点击,因为我只有4K左右使用应用程序的客户,我嵌在客户端code 的API密钥)。
I am currently working on a project which uses Blogger API from Google. Day before yesterday (saturday) someone attacked my application and grab the API Key, My daily limit for accessing posts is 100,000 (100K/24 hrs). I hit limit on Saturday (I suspect that those were fraudulent clicks made using my API key, since I've only around 4K customers using the application, I embedded the API key in client side code).
此后,五分钟后的API限制再次达到(24小时后)5K。所以我删除了API密钥和生成一个新的。
After that, In five minutes API limit reached again (after 24 hrs) 5K. So I deleted the API key and generated a new one.
我的问题是我怎么能保证在客户端code我新的API密钥,所以没有攻击者能够访问API密钥或至少一些方法来间接使用在客户端code API密钥。
My question is how can I secure my new API Key in client code, so that no attacker can gain access to API key or at least some method to indirectly use the API Key in Client Code.
推荐答案
该谷歌API控制台,您可以您的API密钥绑定到一组应用程序的签名证书。结果
如果限制API密钥几个证书,该API应该是无用的攻击者。
(只要你保持你的私钥的秘密。)
The Google API console lets you bind your API key to a set of signing certificates of the app.
If you limit the API key to a few certificates, the API should be useless to an attacker.
(As long as you keep your private key secret.)
这篇关于安全的API密钥的Android的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
