1

I have a problem restricting a Google Cloud Platform API key usage to an Android app: I have added its package name and certificate SHA-1 fingerprint (the debug one to get started) but it doesn't work.

My Cloud Platform API key panel

The error I get when calling any API is

403 Requests from this Android client application <empty> are blocked.

I'm calling the APIs by using a Cloud Endpoints generated client lib, and I've not been able to find any method that I can use at initialisation time to set the app credentials, nor does it do it by itself (as I can guess from the "<empty>" in the error). I can't find any useful info in any documentation as well, as far as I've red it seems like it should do it by itself.

This is my init code:

MyApi.Builder builder = new MyApi.Builder(new NetHttpTransport(), new AndroidJsonFactory(), null)
                .setApplicationName("<my package name>")
                .setRootUrl(<my root URL>)
                .setGoogleClientRequestInitializer(new MyApiRequestInitializer(<my API key>));

I've also tried what suggested in this answer but nothing changed.

Is there any passage I'm missing? How should it be done?

Community
  • 1
  • 1
CristinaTheDev
  • 1,952
  • 2
  • 17
  • 25
  • how did you configure your Cloud Endpoints? – Michael Meyer Mar 21 '17 at 18:29
  • Same problem here! – Juan Labrador Mar 24 '17 at 15:15
  • @MichaelMeyer , I've configured them using standard Cloud Endpoints Framework 2, use only with API Key. I've followed this [example](https://github.com/GoogleCloudPlatform/java-docs-samples/blob/master/appengine/endpoints-frameworks-v2/backend/src/main/java/com/example/echo/Echo.java), method `echoApiKey(Message message, @Named("n") @Nullable Integer n)`. – CristinaTheDev Mar 28 '17 at 08:46
  • @Ultimecia did you find an answer ?? – Ahmed D. Sherif Apr 21 '18 at 05:27
  • @AhmedD.Sherif unfortunately not yet... – CristinaTheDev Apr 22 '18 at 20:21
  • Setting the header `httpHeaders.set("X-Android-Package", 'my.package.name');` was able to fill the __ slot though still getting the error even though that package name is defined in api description. That's pretty weird. Appending the header _X-Android-Cert_ solves the problem but I don't think sending the signature through the header within the code adds much security. I did not think signature as something that can be achieved through the code. – starkm May 06 '18 at 22:25

1 Answers1

0

I believe the problem appears only in emulators. I am getting the same error when running my app in an emulator. However, on real devices I do not seem to have the problem. Have you tested it on a real device?

Catalin Morosan
  • 7,897
  • 11
  • 53
  • 73