Allowing only my android apps to execute endpoint api in java

Question

I created endpoint apis but problem is anyone with my project id can go to api explorer and execute those apis. I have put only android client id (using debug keystore) on top of endpoint class declaration but still I can go to incognito mode and execute the apis. How can I restrict the apis so that only my android apps have access and all others will be thrown with some exception?

Answer 1

Here are some points for consideration :

Cloud Endpoints has been supporting the ANDROID CLIENT ID and package signing, so that should atleast take care of the fact that only a signed Android application from your side can access the endpoint

.

If you wish to remove the Web Clients from access, then I would probably look into the HTTP Headers and Agents to see if there is a sure way of identifying these web clients.However, this would require that you write your own Authorization logic in the method since I do not believe that the endpoints infrastructure can take care of this automatically for you

.

Remove access for everyone via the Annotations could be problematic if you want a quick way to use the API Explorer to test out the API. So do keep the API Explorer access available.

Answer 2

Use symmetric key cryptography along with digital signatures for this. However, you'll need to share the key with the Android app first.

Here's how it would work.

Whenever the Android app is making a network request, you take the URL & the parameters, then you Hash it and then encrypt it using the shared private key. You then append the signature as another parameter to the URL.

At the receiving end, your web API will validate whether the request came from your Android app ONLY.

Please note, that this will work ONLY for your app. It will not work as a way to catch all generic Android requests/

Answer 3

You need to make sure that you have coded your API/backend correctly to only accept the clientId for your app; make sure that you do not see com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID as one of the clientIds in your @Api annotation on the API class:

@Api(
  name = "myApi",
  version = "v1",
  clientIds = {<your android clientId>},
)
public class myApi {
  // your API code here
}

If the API Explorer client ID is present, it will allow it to execute your API from the API. I am not 100% sure, but I think you may still see your API form the explorer without the client ID, but execution will be prevented with an error.

This article has more info: https://cloud.google.com/appengine/docs/java/endpoints/auth#Specifying_authorized_clients_in_the_API_backend

You may want to think about putting proper auth around the endpoint calls (i.e. per-user auth checks around each method) if it is particularly sensitive. Just adding a User parameter to the @ApiMethod should be enough for force users to auth before executing each method.

Hope that helps.

Answer 4

You can use on each api allowed_client_ids to be ANDROID_CLIENT_ID only, can be a possible workaround.

I think this could help if you haven't followed it yet : https://cloud.google.com/appengine/docs/python/endpoints/auth#Python_Creating_OAuth_20_client_IDs

Answer 5

The APIs can be protected by adding a key parameter that has to be correct for API to be invoked. If the user of the API does not know the key, he won't be able to use the API even with API Explorer.

Advantages of this approach is that it is simple to do, allow you yourself to experiment with the API if you need.

Disadvantages include being very easy to circumvent by a determined user, just by looking at the traffic.