您的应用包含公开的Google Cloud Platform(GCP)API密钥.有关详细信息,请参阅此Google帮助中心文章. [英] Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details
问题描述
我的密钥受程序包名称和SHA1限制,但Google Play商店仍显示此警告.
My key is restricted using package name and SHA1, still Google Play store shows this warning.
知道为什么会这样显示.我在build.gradle文件中定义了我的API密钥,并从那里开始使用它.
Any idea why it is showing like this. I defined my API key in build.gradle file and using it from there.
推荐答案
按照google的建议,例如指定软件包名称以及SHA-1密钥等限制条件.
As per google's recommendation putting restrictions such as specifying the package name and also the SHA-1 key is the way to go.
已在此处进行了说明: https://cloud.google.com/docs/authentication/api-keys#securing_an_api_key
It has been explained here: https://cloud.google.com/docs/authentication/api-keys#securing_an_api_key
现在,这里的问题是,无论您执行什么操作,API密钥都将最终出现在代码库中,即,如果您在代码库之外指定了它(通过某些属性文件),但是在构建阶段(通过整个密钥对于正在反编译您的代码的人是可见的,因为它现在已成为BuildConfig类文件的一部分),或者您将其拆分并在代码库中进行串联(拆分密钥仍然可见,任何人都可以通过查看用法来对其进行级联以获取最终密钥通过反编译的apk).
Now, the problem here is that whatever you do your API key will end up in the codebase i.e if you specify it outside your codebase (via some properties file) but pass it in via the BuildConfig field during the build phase (the whole key is visible to someone decompiling your code as it is now part of BuildConfig class file) or you split it up and concatenate in the codebase (the split keys are still visible and anyone can concatenate them by seeing the usage to get the final key from a decompiled apk).
拆分键版本将在Play控制台中摆脱警告,但该键仍处于公开状态.
The split key version will get rid of the warning in the Play Console, but the key is still exposed.
因此,我建议的解决方案是对API密钥进行编码,并将其传递给代码库.在使用前,您需要将其解码回去.
My suggested solution thus would be to encode your API key and pass that around your codebase. Just before using it you decode it back.
一个非常简单的示例可以是:
A very simple example can be:
请使用更好的编码算法,而不要使用此算法,这仅用于演示目的.在这里,我们使用Base64编码.
Please use a better encoding algo and not this, this is for demonstration purpose only. Here we are using Base64 encoding.
import android.util.Base64
fun main() {
// API Key = "123456ABC"
val myEncodedApiKey = "MTIzNDU2QUJD" // Should be passed via BuildConfig
val decodedApiKey = Base64.decode(myEncodedApiKey, Base64.DEFAULT)
// Now use `decodedApiKey` in your codebase.
val decodedApiKeyString = String(decodedApiKey)
}
为什么这样更好?
- 您的密钥与GCP项目中的密钥不完全相同.
- Play控制台在扫描您的代码库时,无法将其与GCP项目API密钥匹配.因此没有警告.
更新(使用API密钥使用google-services.json文件的澄清):
使用来自google-services.json的API密钥的解决方案不是很有效.如果您连接Firebase帐户,通常会生成google-services.json文件.在那里定义的API密钥具有不同的限制模型.您在GCP项目中定义的密码是不同的,它允许您传入程序包名称和SHA-1密钥,并且仅限于特定种类的API访问,例如仅Youtube访问.因此,如果要使用google-services.json中的API密钥,那么您实际上就不会使用在GCP帐户中设置的限制. GCP帐户不会生成google-services.json文件.
The solution to use the API key from google-services.json isn't quite valid. google-services.json is generated file usually if you connect your firebase account. The API key defined there has a different restriction model. The one you define in your GCP project is different, allowing you to pass in package name and an SHA-1 key as well as restricted to a specific kind of API access such as Youtube only access. So if one was to use the API keys from google-services.json then you are essentially not using the restrictions you set up in your GCP account. GCP accounts do not generate google-services.json file.
这里是Google的官方文档,用于设置使用GCP项目定义的API密钥的Youtube API,并且在文档中提到将密钥直接放入代码中. (无论如何,这都是错的,因为它是Google所为.)
To bring into perspective here is an official doc from Google for setting up Youtube API which uses GCP project defined API keys and in the docs, it mentions to directly put the keys in the code. (which is anyways wrong as it is exposed, but that's Google for you).
https://developers.google.com/youtube/android/player/setup
在任何文档中都没有地方提到使用google-services.json文件来检索API密钥.
Nowhere in any docs, it is referred to use google-services.json file for retrieving API keys.
这篇关于您的应用包含公开的Google Cloud Platform(GCP)API密钥.有关详细信息,请参阅此Google帮助中心文章.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
