0

I want to restrict access to my GAE backend only to my Android app. I don't want the authentication to be user-based, and I certainly don't want the user to provide their Google account credentials, or any credentials at all. I just want my GAE API to be accessible to my app only.

There are several questions in StackOverflow for this, but I have not understood what is the process.

The GAE Documentation expectedly describes the server-side of things, and does not provide any snippet for Android clients.

I have stumbled upon this Android developers blog post and this Google Cloud Platform sample project, both of which have an awful lots of things to do in order to authenticate (using the user's email address), which seems an overkill. When I generated the client ID for Android, in the Google Developers Console, I specified both the package and the SHA1 checksum from the application's keystore. I was under the impression that they would somehow suffice to identify the app to the server in a more transparent way.

Are the above links the way to go, or am I on the wrong track?

Community
  • 1
  • 1
Markos Fragkakis
  • 7,499
  • 18
  • 65
  • 103
  • The code from those links uses the user's account from Google Play Services. So this style of authentication is certainly user-based. The problem with just using some app ID is that it's easy to hack for an attacker, reverse compile the app or listen to the traffic from your app. I don't believe there is any truly secure way to do it that's not user-based (unless Google bakes something into the framework), you can only make it increasingly complex to hack, which means a lot of work on your end, too. – Uli Mar 14 '16 at 03:55

1 Answers1

1

You really can't "Restrict GAE API (Endpoints) to Android app" as of right now. The reason is that a hacker could potentially decompile your Android app and view any type of client keys or other credentials and then have full access to your cloud endpoints api methods.

Is this likely? I am not sure. You would have to do your own research on that. It would depend on many factors such as how well known your app is, how determined the hacker is, etc. For example, Snapchat uses GAE and it had many problems with security where hackers were able to access their API to make 3rd party apps. I imagine it involved some sort of decompilation either of the Android or iOS client.

Take a look at a question (and comments) I asked a while ago that is similar. All Cloud Endpoints is, is a way to create a restful API. Uniquely identifying only your specific Android application is the real problem: How to uniquely identify your Android app for rest API

Community
  • 1
  • 1
Micro
  • 10,303
  • 14
  • 82
  • 120
  • Does this mean that (if someone decompiles and sees how the app authenticates) re-use the same way in their own app and consume my API (again with Google auth)? Where do Client IDs kick in? – Markos Fragkakis Mar 16 '16 at 10:24
  • Good question. From my experiences and testing (anyone else feel free to chime in), the `clientIds` kick in only in conjunction with Google+ authentication. Somehow, the API will restrict the API to your client when using the Google+ login. I have not been able to determine how that works, because the two systems do seem independent of each other. Although they are probably somehow linked (not sure how). For more info on on this check out: http://stackoverflow.com/questions/32126999/authenticating-your-client-to-cloud-endpoints-without-a-google-account-login – Micro Mar 16 '16 at 14:48
  • Thanks for the response. Let me chew on it some days, and unless I find out something different, I will mark this as the answer. – Markos Fragkakis Mar 16 '16 at 19:17
  • @MarkosFragkakis If you find something different please comment and let me know!!! This has been an issue of much research for me too. – Micro Mar 16 '16 at 19:25