您的应用包含公开的 Google Cloud Platform (GCP) API 密钥.有关详细信息,请参阅这篇 Google 帮助中心文章 [英] Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details
问题描述
我的密钥受到包名和 SHA1 的限制,Google Play 商店仍然显示此警告.
My key is restricted using package name and SHA1, still Google Play store shows this warning.
知道为什么会这样显示.我在 build.gradle 文件中定义了我的 API 密钥并从那里使用它.
Any idea why it is showing like this. I defined my API key in build.gradle file and using it from there.
推荐答案
根据 google 的建议,设置限制,例如指定包名称和 SHA-1 密钥是可行的方法.
As per google's recommendation putting restrictions such as specifying the package name and also the SHA-1 key is the way to go.
这里已经解释了:https://cloud.google.com/文档/身份验证/api-keys#securing_an_api_key
现在,这里的问题是,无论您做什么,您的 API 密钥最终都会出现在代码库中,即如果您在代码库之外(通过某些属性文件)指定它,但在构建阶段通过 BuildConfig 字段传递它(反编译您的代码的人可以看到整个密钥,因为它现在是 BuildConfig 类文件的一部分),或者您将其拆分并在代码库中连接(拆分的密钥仍然可见,任何人都可以通过查看用法来连接它们以获得最终密钥来自反编译的 apk).
Now, the problem here is that whatever you do your API key will end up in the codebase i.e if you specify it outside your codebase (via some properties file) but pass it in via the BuildConfig field during the build phase (the whole key is visible to someone decompiling your code as it is now part of BuildConfig class file) or you split it up and concatenate in the codebase (the split keys are still visible and anyone can concatenate them by seeing the usage to get the final key from a decompiled apk).
拆分密钥版本将在 Play Console 中消除警告,但密钥仍然暴露.
The split key version will get rid of the warning in the Play Console, but the key is still exposed.
因此,我建议的解决方案是对您的 API 密钥进行编码并将其传递到您的代码库中.就在使用它之前,您将其解码回来.
My suggested solution thus would be to encode your API key and pass that around your codebase. Just before using it you decode it back.
一个非常简单的例子可以是:
A very simple example can be:
请使用更好的编码算法而不是这个,这仅用于演示目的.这里我们使用 Base64 编码.
Please use a better encoding algo and not this, this is for demonstration purpose only. Here we are using Base64 encoding.
import android.util.Base64
fun main() {
// API Key = "123456ABC"
val myEncodedApiKey = "MTIzNDU2QUJD" // Should be passed via BuildConfig
val decodedApiKey = Base64.decode(myEncodedApiKey, Base64.DEFAULT)
// Now use `decodedApiKey` in your codebase.
val decodedApiKeyString = String(decodedApiKey)
}
为什么这更好?
- 您的密钥与您的 GCP 项目中的密钥不完全相同.
- 播放控制台在扫描您的代码库时,无法将其与您的 GCP 项目 API 密钥匹配.因此没有警告.
更新(说明使用 google-services.json 文件作为 API 密钥):
使用 google-services.json 中的 API 密钥的解决方案不太有效.如果您连接您的 firebase 帐户,通常会生成 google-services.json 文件.此处定义的 API 密钥具有不同的限制模型.您在 GCP 项目中定义的那个是不同的,它允许您传入包名称和 SHA-1 密钥,并限制为特定类型的 API 访问,例如仅限 Youtube 访问.因此,如果您要使用 google-services.json 中的 API 密钥,那么您实际上并未使用您在 GCP 帐户中设置的限制.GCP 帐户不会生成 google-services.json 文件.
The solution to use the API key from google-services.json isn't quite valid. google-services.json is generated file usually if you connect your firebase account. The API key defined there has a different restriction model. The one you define in your GCP project is different, allowing you to pass in package name and an SHA-1 key as well as restricted to a specific kind of API access such as Youtube only access. So if one was to use the API keys from google-services.json then you are essentially not using the restrictions you set up in your GCP account. GCP accounts do not generate google-services.json file.
这里有一个来自 Google 的官方文档,用于设置使用 GCP 项目定义的 API 密钥的 Youtube API,在文档中,它提到直接将密钥放入代码中.(无论如何这是错误的,因为它被暴露了,但那是谷歌给你的).
To bring into perspective here is an official doc from Google for setting up Youtube API which uses GCP project defined API keys and in the docs, it mentions to directly put the keys in the code. (which is anyways wrong as it is exposed, but that's Google for you).
https://developers.google.com/youtube/android/player/setup
在任何文档中都没有提到使用 google-services.json 文件来检索 API 密钥.
Nowhere in any docs, it is referred to use google-services.json file for retrieving API keys.
这篇关于您的应用包含公开的 Google Cloud Platform (GCP) API 密钥.有关详细信息,请参阅这篇 Google 帮助中心文章的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
