Reputation: 20623
Google API Security when consuming from an android device
I am building an Android application in which I will be consuming some of the Google APIs from the application itself. I have enabled billing and increased quota for some of the API's.
While creating the credentials I have selected Installed Application, Application type as Android and supplied the package name and SHA1 fingerprint. I just wanted to know how Google decides whether the request is getting originated from my own Android application.
Anybody who has my app installed on their device can get the APK by rooting the device and can get the SHA1 fingerprint and package name. Also by decompiling the code using some Dex tools one can extract the Client ID as well. As I have enabled billing for my account if anybody is able to get all these details they can start consuming API using my ID.
Please help me how this scheme avoids unauthorized application/system to consume API using my ID.
Upvotes: 3
Views: 225
Answers (2)
Reputation: 2674
You are correct in that an attacker can get your signing certificate SHA1 fingerprint and ClientID, but fortunately this info alone is not of much use to attackers, because they do not have the private key your apk is signed with. This means that they can not create their own packages with the same fingerprint.
On android devices you are using google services via Google Play Services APK. This code sends requesting applications signing certificate fingerprint to Google backend servers. Your (or potential attackers) code do not provide this fingerprint when calling Google API-s. Certificate fingerprint is queried behind the scenes using package manager. Google backend compares received fingerprint with the one you registered. If it does not match, request is denied. All this communication is encrypted so traffic snooping does not work.
So, for the attacker to use your client id he has to manipulate android platform or Play Services APK so that incorrect certificate fingerprint is sent. This is not an easy task. Google Play Services is not open source, also Google very actively updates it and refuses to service requests from old versions. This means should some attack against Services APK appear in the wild they will release a new version.
Similar mechanisms are probably in place for Chrome and iOS.
Upvotes: 2
Reputation: 2038
Sort answer is: you can't. Longer response: move the important things to a secured web server... More and better tricks and explanations here How to avoid reverse engineering of an APK file?
Upvotes: 0
Related Questions
- How can I secure my Endpoints API without user login
- Accessing user data in a application using google api on an embedded device without a browser
- Restrict GAE API (Endpoints) to Android app
- Allowing only my android apps to execute endpoint api in java
- Java based Google App Engine, Android and authentication oauth2
- Using Google APIs in Android app with more than one developer / machine
- How do I restrict Google App Engine Endpoints API access to only my Android applications?
- Protecting my Google App Engine API Endpoints
- How to make a Google App Engine authentiated request from an Android app?
- using OAuth in Application backed by App Engine