0

If I understood it correctly, the following feature seems to be able to prevent a person from calling the API other than using the app. How does that work, and how secure is it?

Does it generate some sort of public/private key pair using the app's hash, and sign the request with the private key, so that Google's server can verify that the request was from the app? But if so, given the fact that an Android app is written in Java and can be decompiled relatively easily, if an attacker decompiles the app and extracts the private key from it, he can call Google API's without using the app, can't he?

enter image description here

Damn Vegetables
  • 11,484
  • 13
  • 80
  • 135

1 Answers1

0

As described in the documentation (and as you can see in your screenshot), the SHA-1 fingerprint of your app package is required to validate the request source.

Use Android apps for Android applications. This option requires adding your package name and SHA-1 signing-certificate fingerprint.

EDIT 1

In fact, when your Android app call your service, there are automatics header such as

  • X-Android-Package which contains the package Name
  • X-Android-Cert which is the SHA-1 signature of your package.

Of course, it's possible to get your package, get its name and its SHA-1 signature and reproduce programmatically your this headers

In any case, API keys isn't a good way to protect access. There is no cryptography mechanism involved.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • But how does it work? I think Google Cloud API's are basically web requests. If the app is calling an API by signing the data with "the SHA-1 fingerprint", it must have the private key inside of the APK. How can it prevent from an attacker from decompiling the APK and find out the key, and use the API pretending to be the app? – Damn Vegetables Jan 23 '21 at 17:11
  • With the name "X-Android-Cert", I searched Google, and someone has already asked [the same question](https://stackoverflow.com/questions/31589308/how-does-google-verify-android-sha1-fingerprints-and-packages). So, if the answer is correct, it is just hashing the name of the package with the public signing key. None of the two would vary by devices, user, etc, so I guess the "X-Android-Cert" of an app is always the same. That would mean, one only has to use an HTTPS sniffer to figure out that value of an app, and call the API for free. – Damn Vegetables Jan 23 '21 at 22:27