Firebase API 密钥限制不适用于 Android 应用程序包名称和 SHA1 指纹 [英] Firebase API key restriction not working with Android app package name and SHA1 fingerprint

问题描述

我们正在使用 Google Firebase 为我们的应用获取 CrashLytics 数据，并且通过 google-services.json 文件公开的 API 密钥作为安全问题被提出作为应用 apk 文件可以进行逆向工程以获取此文件，然后攻击者可以使用它向我们的 Firebase 帐户发送数据.

We are using Google Firebase to get CrashLytics data for our app, and the API key that is exposed through the google-services.json file was brought up as a security concern as the app apk file can be reverse engineered to get this file and then it can be used by an attacker to send data to our Firebase account.

为避免这种情况，我们尝试遵循此文档 限制 API 密钥的使用，使其只能由我们的应用程序使用.这是通过使用包名称和我们应用程序密钥库的 SHA1 指纹对其进行限制来实现的.

To avoid this, we tried to follow this documentation to restrict the API key usage such that it can only be used by our app. This is achieved by restricting it with the package name and the SHA1 fingerprint of the keystore of our app.

但是，当我们对其进行测试时，它没有按预期工作.我们仍然能够通过具有相同包名称、相同 google-services.json 文件但不同密钥库文件的虚假应用发送崩溃数据.

However when we tested it out, it didn't work as expected. We were still able to send crash data via a fake app that has the same package name, same google-services.json file but a different keystore file.

基于此问题的公认答案，这种方法应该有效.如果有这方面经验的人可以与我们分享，不胜感激.

Based on the accepted answer of this question, this approach should work. Appreciate it a lot if anyone with experience on this can share with us.

推荐答案

你必须去https://console.developers.google.com/apis，并且在您的项目凭据中，您会看到您的 API 不受限制.按照每个 API 的屏幕说明进行限制.

You have to go to https://console.developers.google.com/apis, and in your project credentials you'll see that your APIs are unrestricted. Follow the on-screen instructions on each API to restrict them.

这篇关于Firebase API 密钥限制不适用于 Android 应用程序包名称和 SHA1 指纹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！