限制使用 Google API 的 Android 密钥 [英] Restricting usage for an Android key for a Google API
问题描述
我的问题是关于如何在 Google Developers Console 中正确设置包名称和 SHA-1 证书指纹,以便将我的 Android API 密钥的使用限制为我的应用.
My question is about how to properly set the package name and SHA-1 certificate fingerprint in the Google Developers Console in order to restrict usage of my Android API key to my app.
如果我没有在限制使用您的 Android 应用程序"部分中设置任何内容,我对 Google 翻译 API 的请求将正常工作.API 以状态代码 200 和我的预期结果正常响应.
When I don't have anything set in the "Restrict usage to your Android apps" section, my requests to the Google Translate API work properly. The API responds normally with status code 200 and my expected result.
但是,当我使用 Developers Console 为我的应用程序指定包名称和 SHA-1 证书指纹时,我始终收到 403 Forbidden 响应,如下所示:
But when I specify a package name and SHA-1 certificate fingerprint for my app using the Developers Console, I consistently get 403 Forbidden responses like the following:
HTTP/1.1 403 Forbidden
Vary: Origin
Vary: X-Origin
Content-Type: application/json; charset=UTF-8
Date: Sun, 29 Nov 2015 21:01:39 GMT
Expires: Sun, 29 Nov 2015 21:01:39 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 443:quic,p=1
Alt-Svc: quic=":443"; ma=604800; v="30,29,28,27,26,25"
Content-Length: 729
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "ipRefererBlocked",
"message": "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.",
"extendedHelp": "https://console.developers.google.com"
}
],
"code": 403,
"message": "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed."
}
}
请求如下所示.请注意,请求中没有引用标头:
The request looks like the following. Notice that there's no referer header in the request:
GET https://www.googleapis.com/language/translate/v2?key=XXXXXXXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXXXX&source=en&target=es&q=test HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 6 Build/LVY48H)
Host: www.googleapis.com
Connection: Keep-Alive
Accept-Encoding: gzip
我假设错误消息表明包名称或 SHA-1 指纹问题,尽管它的消息是关于每个 IP 或每个引用者限制".虽然浏览器键允许设置每个引用者的限制,但我使用的 Android 键无处可设置每个 IP 或每个引用者限制.
I'm assuming that the error message indicates a package name or SHA-1 fingerprint problem, despite its message about a "per-IP or per-Referer restriction". While browser keys allow the setting of a per-referer restriction, I'm using an Android key with nowhere to set a per-IP or per-Referer restriction.
我确定我在 Google Developers Console 中正确输入了包名称.我正在从我的 Android 清单文件中 manifest 标签上的 package 属性读取包名称.
I'm sure I have entered the package name correctly in the Google Developers Console. I'm reading the package name from the package attribute on the manifest tag in my Android manifest file.
我也确定我在 Google Developers Console 中正确设置了 SHA-1 指纹.我正在使用命令 keytool -list -v -keystore/path/to/my/keystore 从我的密钥库中读取这个值.当我使用 keytool -list -printcert -jarfile myAppName.apk 从 APK 文件中读取它时,我得到了相同的值.我正在使用 adb 安装相同的 APK 文件.
I'm also sure I have the SHA-1 fingerprint set correctly in the Google Developers Console. I'm reading this value from my keystore using the command keytool -list -v -keystore /path/to/my/keystore. I get the same value when I read it from the APK file using keytool -list -printcert -jarfile myAppName.apk. I'm installing that same APK file using adb.
这是我在开发者控制台中看到的:
Here's what I see in the Developers Console:
我已经在多台运行原生 Android 的设备上进行了测试.无论我是否代理流量,我都会在 wifi 和蜂窝网络上收到错误响应.
I've tested this on multiple devices running stock Android. I get the error response on wifi and on the cell network, whether I'm proxying the traffic or not.
当我从 Developers Console 中删除限制后,该应用又可以正常运行了.
When I remove the restriction from the Developers Console, the app works properly again.
我在这里做错了什么?
注意:几个 类似 问题 有 去过 询问 之前,但是 与
Note: Several similar questions have been asked before, but with no adequate answers. I don't want to use a browser key or remove the restriction altogether. I want to get the usage restriction to work properly.
推荐答案
直接从代码中调用 API 而不是通过 Google 提供的中间 SDK 意味着没有可用的机制来安全地获取应用的证书指纹并通过该指纹指纹到 API.另一方面,当您使用提供的 Android SDK 之一而不是直接访问 API 时(例如,当您使用 Android Google Maps SDK 发送请求时)SDK 可以处理获取您的应用程序的证书指纹,以便应用程序限制将按预期工作.
Hitting the API directly from your code rather than going through a Google-provided intermediate SDK means that there's no mechanism available to securely get your app's certificate fingerprint and pass that fingerprint along to the API. On the other hand, when you're using one of the provided Android SDKs instead of hitting the API directly—for example, when you send requests using the Android Google Maps SDK—the SDK can handle getting your app's certificate fingerprint so that the app restriction will work as intended.
Google Developers Console 在这方面具有误导性,因为对于其某些 API,它允许开发人员根据 Android 应用证书指纹设置密钥限制,但随后并未提供适用于 Android 的 SDK在运行时检查该指纹.那么,开发人员剩下的是更糟糕、更不安全的选项,如此处的另一个答案中所述,将 X-Android-Cert 和 X-Android-Package 标头与他们的请求一起发送.
The Google Developers Console is misleading in this respect because, for some of its APIs, it allows developers to set up key restrictions based on the Android app certificate fingerprint, but then doesn't make available an SDK for Android that's able to check that fingerprint at runtime. What developers are left with, then, is the worse, more insecure option of sending the X-Android-Cert and X-Android-Package headers alongside their requests as described in the other answer here.
因此,对于没有发布用于处理应用证书指纹检查的随附 Android SDK 的 API,事实证明没有隐藏的简单方法可以获取诸如 Google Play 服务之类的东西来处理获取应用的证书指纹才能正确使用应用密钥限制 - 只是没有办法做到这一点.
So for the APIs for which no accompanying Android SDK to handle the checking of app certificate fingerprint has been published, it turns out that there's no hidden easy way to get something like, say, Google Play Services to handle getting your app's certificate fingerprint in order to properly use the app key restriction—there's just not a way to do it.
这篇关于限制使用 Google API 的 Android 密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
