android - How does Google Cloud API limit the usage to a specific app?

Question

If I understood it correctly, the following feature seems to be able to prevent a person from calling the API other than using the app. How does that work, and how secure is it?

Does it generate some sort of public/private key pair using the app's hash, and sign the request with the private key, so that Google's server can verify that the request was from the app? But if so, given the fact that an Android app is written in Java and can be decompiled relatively easily, if an attacker decompiles the app and extracts the private key from it, he can call Google API's without using the app, can't he?

question from:https://stackoverflow.com/questions/65857358/how-does-google-cloud-api-limit-the-usage-to-a-specific-app

Answer 1

As described in the documentation (and as you can see in your screenshot), the SHA-1 fingerprint of your app package is required to validate the request source.

Use Android apps for Android applications. This option requires adding your package name and SHA-1 signing-certificate fingerprint.

EDIT 1

In fact, when your Android app call your service, there are automatics header such as

• X-Android-Package which contains the package Name
• X-Android-Cert which is the SHA-1 signature of your package.

Of course, it's possible to get your package, get its name and its SHA-1 signature and reproduce programmatically your this headers

In any case, API keys isn't a good way to protect access. There is no cryptography mechanism involved.