如何在 AndroidManifest.xml 中隐藏 API 密钥 [英] How to hide API Keys in AndroidManifest.xml
问题描述
我刚刚开始使用 Flutter 的 Google 地图插件,它需要我插入生成的 API键入 android/app/src/main/AndroidManifest.xml
中的 AndroidManifest.xml
文件.几分钟后,我将它提交到我的仓库,并立即收到了来自 Google 和 Git 的警告,要求更改生成新密钥等(不知道您不应该这样做,所以我现在很清楚).
I've just started Google Maps plugin for Flutter and it required me to insert the generated API key into the AndroidManifest.xml
file in android/app/src/main/AndroidManifest.xml
. A few moments later I committed it to my repo and immediately got a warning from Google and Git to change generate a new key etc (didn't know you weren't supposed to do that so I'm well aware now).
之后,我开始寻找隐藏 API 密钥的方法.一种解决方案是使用 Flutter Secure Storage plugin 但这只会有所帮助(我认为)在 .dart
文件中.另一种方法是创建一个单独的文件并将其添加到 .gitignore 中,但是当我构建 APK 时,该文件不会也被捆绑吗?
After, I began searching ways to hide API keys. One solution is to use the Flutter Secure Storage plugin but that only helps (I think) within a .dart
file. Another is to create a separate file and add it to .gitignore but when I build the APK won't that file also be bundled?
理想情况下,我想发布它,但我不希望密钥易于访问,那么如何在不使用纯文本的情况下将 API 密钥加载到 AndroidManifest.xml
文件中?我想避免使用后端,所以我想我可以手动散列它,然后在运行时取消散列,但我仍然不知道如何动态更改 AndroidManifest.xml
文件.
Ideally I'd like to publish it but I wouldn't want the key to be easily accessible so how can I load the API key into the AndroidManifest.xml
file without using plaintext? I would like to avoid using a backend so I was thinking I could manually hash it and then unhash at runtime, but I still don't know how to dynamically change the AndroidManifest.xml
file.
推荐答案
您无法混淆存储在清单中的键,因为存储的(静态)值将直接由 Google Maps API 本身使用.为了保护您的密钥,请考虑在您的 GCP 控制台中添加限制,以便只有经过授权的客户才能使用您的密钥.
There is no way for you to obfuscate the key stored in your Manifest as the stored (static) value will be directly used by the Google Maps API itself. To secure your key, consider adding restrictions in your GCP console so that only authorized clients can use your key.
查看此链接了解更多详情:https://developers.google.com/maps/documentation/android-sdk/get-api-key#restrict_key
See this link for more details: https://developers.google.com/maps/documentation/android-sdk/get-api-key#restrict_key
以下是有关保护 API 密钥的最佳做法的更多信息:https://developers.google.com/maps/api-key-最佳实践#api_key_table
Here's more information about the best practices to securing your API keys: https://developers.google.com/maps/api-key-best-practices#api_key_table
这篇关于如何在 AndroidManifest.xml 中隐藏 API 密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!