google-services.json 对黑客安全吗? [英] Is google-services.json safe from hackers?
问题描述
如果黑客反编译了我的 APK,他能从这个文件中看到我的 API 密钥吗?我不担心我的源代码存储库.我只是担心黑客能够以某种方式从我的 APK 中看到这个 API 密钥.我正在尝试加密此文件并在运行时对其进行解密,但遇到了一些问题
Google 插件的设置方式,让你很难隐藏 google-services.json 的内容
代码>文件.唯一可行的方法是重新实现插件已经为你做的事情,我不推荐这样做.不幸的是,当按照 Google 的意图使用插件时,任何人解压缩您的 APK 都会很容易获得您的 Firebase/Google API 密钥.
但是,您可以通过配置谁可以使用该 API 密钥来防止对该 API 密钥的任何滥用.对于 Android 应用,您可以指定您的 API 密钥只能由已由给定密钥库签名并使用给定包名称的 Android 应用使用.
要配置这些限制,请按照此处的文档操作:https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions
除了限制 API 密钥之外,如果您使用 Firebase RTD/Firestore,您还应该确保在数据存储上配置安全规则.根据您的用例,您可以阻止匿名用户读取或写入您的数据库部分.
如果您想了解更多详细信息,这里是我找到的一篇关于如何在 Android 应用程序中保护 API 密钥的好文章:https://proandroiddev.com/developing-secure-android-apps-8edad978d8ba
If a hacker decompiled my APK would he be able to see my API keys from this file? I am not worried about my source code repository. I am just worried about a hacker being able to see this API key from my APK somehow. I'm trying to encrypt this file and decrypt it at runtime but having some issues
The way that the Google plugin is set up, it will be really hard for you to hide the content of the google-services.json file. The only viable way would be to re-implement yourself what the plugin already does for you, which I wouldn't recommend. When using the plugin the way Google intends you to, it will unfortunately be easy for anyone unzipping your APK to get hold of your Firebase/Google API Key.
However, you can prevent any abusive use of that API key by configuring who can use it. For an Android app, you can specify that your API Key can be used only by an Android application that has been signed by a given keystore and using a given package name.
To configure those restrictions, follow the documentation here: https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions
On top of restricting the API Key, if you're using Firebase RTD/Firestore, you should also make sure that you configure security rules on the data store. Depending on your use-case, you can prevent anonymous user to read or write in sections of your database.
If you want more details, here is a good article I found on how to secure your API keys in an Android application: https://proandroiddev.com/developing-secure-android-apps-8edad978d8ba
这篇关于google-services.json 对黑客安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
