All geek questions in one place

API Endpoint Protection for Google Application APIs

Recently, I did a lot of research to protect my application. I am currently reading the question below and the links in this question:

How do I restrict access to the Google App Engine endpoint APIs only for my Android applications?

However, it does not answer my problem. My question is similar to the question above, restricting access to my endpoint API only for my application. The guy seemed to work when he entered the correct password into the credentials.

My question is, is it possible to achieve the same results without entering any credentials. I want only my application to be able to use my endpoint API so that other applications do not abuse it and do not use my quota. I already got the client ID for my Android app and posted it in my @API annotation. To check if this works, I made a random value for the client id in the @API notation of another api class. However, my application could still use methods from both classes. Any help?

-Edit -

From reading documents and further study, the ultimate way to authorize applications is to authenticate the user and my API to check if the user is null. My question is that in the process of user authentication, can Google somehow read the fingerprint of my SHA1 application and resolve it to the list of client identifiers? If so, how can I replicate this process at my endpoint so that I check the SHA1 fingerprint of the application making the request and compare it with the given value? I'm not very good at mechanics beyond endpoints, so correct me if I get it wrong.

+4
source share
2 answers

Android , . , . ProGuard, [].

, API . .

+2

API : http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html

, Google Play, : : server: client_id: 9414861317621.apps.googleusercontent.com, 9414861317621.apps.googleusercontent.com ClientId.

Google Play Google JSON Web Token, . . , . , . , , Google, , , API.

, , HttpServletRequest , request.getHeader( " " ), . , URL, - .

public void endpointmethod(

        // ... your own parameters here

        final HttpServletRequest request
) throws ServiceException, OAuthRequestException {
    request.getHeader("YourHeaderName") // read your header here, authenticate it with Google and raise OAuthRequestException if it can't be validated

Android , api, , :

    Yourapiname.Builder builder = new Yourapiname.Builder(AndroidHttp.newCompatibleTransport(), getJsonFactory(), new HttpRequestInitializer() {
        public void initialize(HttpRequest httpRequest) {
            httpRequest.setHeader(...);
        }})

, API . .

0

Source: https://habr.com/ru/post/1531490/

More articles:


All Articles