如何限制谷歌App Engine的端点API只能访问我的Android应用程序? [英] How do I restrict Google App Engine Endpoints API access to only my Android applications?
问题描述
我是一名Android开发建设我的第一个谷歌应用程序引擎(Java)的后端为我的应用程序。我不希望任何人访问此API比我的应用程序等。 (我计划使用的应用程序引擎用于验证在我的Android应用InApp购买)。我的数据是不相关的用户的话, 我不希望用户能够访问我的,即使他们登录与他们的谷歌帐户(在网上或Android设备)API。
I am an Android developer building my first Google App Engine (java) back-end for my apps. I don't want anybody else to access this API other than my app. (I plan to use App engine for verifying InApp purchases in my Android app). My data is not relevant to users so, I don't want users to be able to access my API even if they are logged in with their Google accounts (on web or Android devices).
我跟着中提到的步骤 - 指定授权客户端的API后端 (<一href="https://developers.google.com/appengine/docs/java/endpoints/auth">https://developers.google.com/appengine/docs/java/endpoints/auth) 像生成的客户端ID,并将其添加在@Api(的ClientID和观众) 除了添加用户参数 - 因为我并不需要用户身份验证
I followed the steps mentioned in - "Specifying authorized clients in the API backend" (https://developers.google.com/appengine/docs/java/endpoints/auth) like generating client IDs and add them in @Api (clientIds and audiences) except "Add a User parameter" - since I don't need user authentication.
然后我部署的App Engine和我仍然能够通过API浏览器来访问API(<一href="https://your_app_id.appspot.com/_ah/api/explorer">https://your_app_id.appspot.com/_ah/api/explorer) (我还没有添加API_EXPLORER客户端ID)
Then I deployed App engine and I am still able to access the API through API explorer (https://your_app_id.appspot.com/_ah/api/explorer) (I haven't added API_EXPLORER client ID)
我与建与端点库添加客户端ID之前,仍然可以访问API的APK测试。
I tested with the APK that was built with the endpoint libs before adding client IDs and can still access the API.
-
是增加了用户参数给所有的端点API的绝?达到我的目的(API限制只有我的Android应用程序)。
Is adding a "User parameter" to all endpoint APIs a must? to achieve my purpose (restrict API to only my Android apps).
我可以传递null作为来自Android客户端userAccount名,而忽略对服务器用户参数值(因为它会为null)?这是否会确保API是只能从我的Android应用(因为是我的包名和APK的SHA1生成的客户端ID?)
Can I pass null as userAccount name from Android client and ignore user parameter value on server (since it will be null)? Will this ensure that the API is accessible only from my android apps (since the client ID is generated for my package name and SHA1 of the APK?)
我应该使用类似的服务帐户用于此目的?
Should I use something like a service account for this purpose?
该文件说,为Android,Android和Web客户端ID必须添加和观众必须是相同的Web客户端ID。这是否开放访问任何其他Web客户端?我可以跳过提的Web客户端ID,而且还能达到我的目的?
The documentation says for Android, both Android and Web client IDs must be added and audience must be the same as web client ID. Does this open access to any other web client? can I skip mentioning web client ID and still achieve my purpose?
鸭preciate你的时间和帮助。
Appreciate your time and help.
......更新与我进一步调查......
...... updating with my further investigation ...
我做了以下内容:
-
添加的用户参数的API的后端 - 但没有检查空值。 API仍然可以不经过任何凭据(从Android的调试APK和API浏览器)访问
Added User parameter to APIs on backend - but did not check for null value. API can still be accessed without passing any credentials (from Android debug APK and API explorer)
然后,我试过
mCredential = GoogleAccountCredential.usingAudience(这一点,服务器:CLIENT_ID:+ WEB_CLIENT_ID); mCredential.setSelectedAccountName(空);
mCredential = GoogleAccountCredential.usingAudience(this, "server:client_id:" + WEB_CLIENT_ID); mCredential.setSelectedAccountName(null);
和通过了这个凭据API生成器(在一些其他职位的建议) 造成致命的异常。因此,我们不能将空帐户名。
and passed this credential to API builder (as suggested in some other posts) Caused FATAL EXCEPTION. So, we can't pass null account name.
-
我可以使用API浏览器没有的OAuth调用API。但是,当我启用OAuth的,它给了错误说这个客户端ID是不允许的! (我还没有添加com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID在client_ids {})
I could call the API using API explorer without OAuth. But when I enabled OAuth, it gave error saying this client ID is not allowed! ( I haven't yet added com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID in client_ids{})
然后,我添加code扔OAuthRequestException在后端,如果用户为null。这导致API浏览器得到错误没有OAuth的。它与OAuth的增加API_EXPLORER_CLIENT_ID到client_ids)后启用
Then I added code to throw OAuthRequestException on the backend if the user is null. This resulted in API explorer getting errors without OAuth. It works with OAuth enabled after adding API_EXPLORER_CLIENT_ID to client_ids)
加code,从我的Android应用程序通过有效的用户帐户名(电子邮件)。然后,我可以访问API只与我的版本APK。即使是调试APK变得异常! - 这是我expected..So,我认为没有其他的Android应用程序将能够访问此API
Added code to pass valid user account name(email) from my Android app. Then, I am able to access API only with my release APK. Even the debug APK gets exceptions! - which is what I expected..So, I assume no other Android apps will be able to access this API.
所以,不检查后端API空用户是一个坏主意(如在其他职位的建议)。这是不如不提任何client_ids并没有用户参数。
So, not checking for null user on back-end API is a bad idea (as suggested in other posts). It is as good as not mentioning any client_ids and not having User param.
唯一的问题我已经在这一刻是:如果有人能找出WEB_CLIENT_ID从APK,他们将能够使用它来建立一个Web客户端来访问我的API(我没有提到的客户端秘密的任何地方在code,所以我想这是不可能的)。
Only question I have at this moment is: If some one can figure out the WEB_CLIENT_ID from the APK, will they be able to use it to build a web client to access my API (I haven't mentioned client secret anywhere in the code. So I am thinking this is not possible).
我没有搜索谷歌集团和#1,但它仍然是不明确的。
I did search Google groups and Stackoverflow, but still it is not clear.
-
(验证我的应用程序,以谷歌的云终端不是一个用户) <一href="http://stackoverflow.com/questions/20396577/authenticate-my-app-to-google-cloud-endpoints-not-a-user">Authenticate我&QUOT;应用&QUOT;以谷歌的云终端不是一个&QUOT;用户QUOT;
(Authenticate my "app" to Google cloud endpoints not a "user") Authenticate my "app" to Google cloud endpoints not a "user"
(如何保护我的API,使用谷歌云端点建?) <一href="http://stackoverflow.com/questions/16890175/how-do-i-protect-my-api-that-was-built-using-google-cloud-endpoints">How保护我的API,使用谷歌云端点建?
(How do I protect my API that was built using Google Cloud Endpoints?) How do I protect my API that was built using Google Cloud Endpoints?
(限制访问谷歌的云终端到Android应用程序) <一href="http://stackoverflow.com/questions/17873993/restrict-access-to-google-cloud-endpoints-to-android-app">Restrict访问谷歌的云终端到Android应用
(Restrict access to google cloud endpoints to Android app) Restrict access to google cloud endpoints to Android app
推荐答案
我有一个类似的问题,而不是与Android和App Engine的,一个单独的服务器和应用程序引擎之间,但。我处理的方式是签名的散列字段中添加作为参数传递给每个API调用。如果请求有一个不正确的签名,它会被拒绝。
I had a similar issue, not between Android and App Engine, but between a separate server and App Engine. The way I handled it was to add a signature hash field as a parameter to each API call. If the request had an improper signature, it would be denied.
例如,假设您的API终点是 example.com/api/do_thing?param1=foo 。我会散列整个URL,连同一个密钥,然后追加散列请求的结果是: example.com/api/do_thing?param1=foo&hash= [有些长的十六进制值] 。
For example, suppose your API end-point is example.com/api/do_thing?param1=foo. I would hash the entire url, along with a secret key, and then append the result of the hash to the request: example.com/api/do_thing?param1=foo&hash=[some long hex value].
然后,在服务器端,我会先从URL请求删除该散列,然后运行在剩下的这一切的哈希值。最后,检查所算出的散列是否已发送的请求一个匹配,如果他们不这样做,你可以拒绝该请求。
Then, on the server side, I would first remove the hash from the url request, then run the hash on everything that was remaining. Finally, you check whether the calculated hash matches the one that was sent with the request and if they don't, you can deny the request.
这是非常重要的不过是你的密钥保持秘密。你必须要小心地使用这个在Android上,因为有人可能试图反编译你的APK。
It is very important however that your secret key remain secret. You have to be careful with this on Android because someone could attempt to decompile your APK.
这篇关于如何限制谷歌App Engine的端点API只能访问我的Android应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
