如何在AndroidManifest.xml中隐藏API密钥 [英] How to hide API Keys in AndroidManifest.xml
问题描述
我刚刚为Flutter启动了 Google Maps插件,它需要我插入生成的API键入 android/app/src/main/AndroidManifest.xml 中的 AndroidManifest.xml 文件.片刻之后,我将其提交给我的仓库,并立即收到Google和Git的警告,要求更改以生成新密钥等(不知道您不应该这样做,所以我现在很清楚).
I've just started Google Maps plugin for Flutter and it required me to insert the generated API key into the AndroidManifest.xml file in android/app/src/main/AndroidManifest.xml. A few moments later I committed it to my repo and immediately got a warning from Google and Git to change generate a new key etc (didn't know you weren't supposed to do that so I'm well aware now).
之后,我开始寻找隐藏API密钥的方法.一种解决方案是使用 Flutter安全存储插件,但这只会有所帮助(我(代码)文件中.另一种方法是创建一个单独的文件并将其添加到.gitignore,但是当我构建APK时,该文件也不会被捆绑吗?
After, I began searching ways to hide API keys. One solution is to use the Flutter Secure Storage plugin but that only helps (I think) within a .dart file. Another is to create a separate file and add it to .gitignore but when I build the APK won't that file also be bundled?
理想情况下,我想发布它,但我不希望该密钥易于访问,因此如何在不使用纯文本的情况下将API密钥加载到 AndroidManifest.xml 文件中?我想避免使用后端,所以我想我可以手动对其进行哈希处理,然后在运行时取消哈希处理,但是我仍然不知道如何动态更改 AndroidManifest.xml 文件.
Ideally I'd like to publish it but I wouldn't want the key to be easily accessible so how can I load the API key into the AndroidManifest.xml file without using plaintext? I would like to avoid using a backend so I was thinking I could manually hash it and then unhash at runtime, but I still don't know how to dynamically change the AndroidManifest.xml file.
推荐答案
您无法混淆清单中存储的键,因为存储的(静态)值将直接由Google Maps API本身使用.为了保护您的密钥,请考虑在GCP控制台中添加限制,以便只有授权的客户端才能使用您的密钥.
There is no way for you to obfuscate the key stored in your Manifest as the stored (static) value will be directly used by the Google Maps API itself. To secure your key, consider adding restrictions in your GCP console so that only authorized clients can use your key.
有关更多详细信息,请参见此链接: https://developers.google.com/maps/documentation/android-sdk/get-api-key#restrict_key
See this link for more details: https://developers.google.com/maps/documentation/android-sdk/get-api-key#restrict_key
以下是有关保护API密钥的最佳做法的更多信息: https://developers.google.com/maps/api-key-最佳做法#api_key_table
Here's more information about the best practices to securing your API keys: https://developers.google.com/maps/api-key-best-practices#api_key_table
这篇关于如何在AndroidManifest.xml中隐藏API密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
