Firebase API密钥限制不适用于Android应用程序包名称和SHA1指纹 [英] Firebase API key restriction not working with Android app package name and SHA1 fingerprint

问题描述

我们正在使用Google Firebase来获取应用程序的CrashLytics数据，并且出于安全方面的考虑，提出了通过google-services.json文件公开的API密钥，因为可以对应用apk文件进行反向工程以获取此文件并然后攻击者就可以使用它来将数据发送到我们的Firebase帐户.

We are using Google Firebase to get CrashLytics data for our app, and the API key that is exposed through the google-services.json file was brought up as a security concern as the app apk file can be reverse engineered to get this file and then it can be used by an attacker to send data to our Firebase account.

为避免这种情况，我们尝试遵循此文档限制API密钥的使用，使其只能由我们的应用使用.这可以通过使用我们的应用程序的密钥库的程序包名称和SHA1指纹对其进行限制来实现.

To avoid this, we tried to follow this documentation to restrict the API key usage such that it can only be used by our app. This is achieved by restricting it with the package name and the SHA1 fingerprint of the keystore of our app.

但是，当我们对其进行测试时，它没有按预期运行.我们仍然能够通过假冒的应用程序发送崩溃数据，该应用程序具有相同的程序包名称，相同的google-services.json文件，但具有不同的密钥库文件.

However when we tested it out, it didn't work as expected. We were still able to send crash data via a fake app that has the same package name, same google-services.json file but a different keystore file.

根据此问题的公认答案，此方法应该有效.如果有任何经验的人可以与我们分享，请多加赞赏.

Based on the accepted answer of this question, this approach should work. Appreciate it a lot if anyone with experience on this can share with us.

推荐答案

您必须转到 https://console.developers.google.com/apis ，在您的项目凭据中，您会看到您的API是不受限制的.按照每个API上的屏幕说明进行操作.

You have to go to https://console.developers.google.com/apis, and in your project credentials you'll see that your APIs are unrestricted. Follow the on-screen instructions on each API to restrict them.

这篇关于Firebase API密钥限制不适用于Android应用程序包名称和SHA1指纹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！