30

I've been toying around with Firebase, and after reading the documentation (and other SO questions), I'm still confused on some of the API keys. I'm using Firebase for Analytics, Crashlytics, and Performance. But also have it linked to Google Play and AdMob.

When I set it up for the first time, 3 API keys were created in the developer console.

  1. Browser key (auto created by Google Service)
  2. Android key (auto created by Google Service)
  3. Server key (auto created by Google Service)

I tried reading through the documentation to find where it is described how these keys are used, but I wasn't able to find it. From looking around the Firebase application, it looks like the Android Key is used as the Web API Key, and the Server Key is used as the Cloud Message Legacy Server Key (Although, I don't use Cloud Messaging). I'm not sure how Firebase is using the Browser Key.

What I'm trying to do is restrict these keys as much as possible to prevent any malicious use of them.

I added the following API restrictions

  1. Android Key
    • Firebase Services API
  2. Server Key
    • Firebase Cloud Messaging API
  3. Browser Key
    • Firebase Services API

I'm not entirely sure if these restrictions are correct for what I am using them for, but it worked for the Android Key and the Server Key, at least as far as I can tell. However, the Browser Key restrictions appear to not work as Firebase is creating a new Browser Key when I redeploy my application.

To sum up my question, I can see that Firebase is auto creating API keys for me, but I cannot find any documentation that talks about how these keys are used for the basic features of Firebase that I'm using. I'm also not entirely sure how I can restrict these keys, especially the Browser Key.

Spark323
  • 1,525
  • 2
  • 16
  • 27
  • 5
    I'm wondering the same thing. Firebase seems to auto-create these keys and if I change them they are re-created. I dislike that these keys seem to be out of my control. – devlop Sep 25 '18 at 19:07
  • Same question here. I also wonder why they generate unrestricted api keys, seems a little bit exaggerated. – Tomas Jansson Jan 07 '19 at 12:52
  • Did you ever figure out an answer to your question? – ahong Oct 23 '20 at 11:34
  • I have also noticed that some of those api keys show up in the google-services.json file. I don't know whether that file is in the compiled app or not but in the case it is it would be something to be concerned about – josue.0 Jan 20 '21 at 23:41
  • I found out that the keys in that json file are compiled in the apk as resources: https://groups.google.com/g/firebase-talk/c/bamCgTDajkw/m/uVEJXjtiBwAJ – josue.0 Jan 21 '21 at 02:19
  • Just a follow up, did you find an answer? – josue.0 May 06 '21 at 16:52
  • @josue.0 outside of the comments here, no. – Spark323 May 19 '21 at 04:29

2 Answers2

6

There are Application Restrictions where you can restrict by: HTTP referrers, IP addresses, Android apps, iOS apps. And these are the only ones that seem to work

I've found that is better to not restrict API calls on the auto generated Firebase API keys. I've tried API restrictions for the Firebase Web API Key but the changes break other components.

I tried restricting the API calls to only the ones that had something to do with Firebase or Authentication. After making these changes login with password using Firebase stopped working and it displays the following error message in the Javascript Console:

https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=THE 1NOW1RESTRICTED1API1KEY
{
  "error": {
    "code": 400,
    "message": "EMAIL_NOT_FOUND",
    "errors": [
      {
        "message": "EMAIL_NOT_FOUND",
        "domain": "global",
        "reason": "invalid"
      }
    ]
  }
}
SAGB
  • 101
  • 1
  • 4
  • It is very strange, when I restrict the auto generated Firebase API keys, I had the similar problem unfortunately. I couldn't find any doc or answer about this problem. – Zafer Nov 17 '22 at 08:52
2

The Android Key can be locked down to "Android Apps" via providing the package name and SHA1 fingerprint.

It seems that this would restrict usage by the key to signed Android code?

I enabled this restriction without any undesirable side effects.

majway27
  • 51
  • 6