Flutter REST API Security - api

I'm using REST API key in my flutter project in lib folder so is there any chance for someone to decompile the apk and see my API key? Is it secured?

Can a user decompile the apk and get rest api key and write into my database by postman or sth like that?
If you don't share your APK which is generated in debug mode, it won't be easy to access your API key. You should always consider building your APK in release mode. And you can obfuscate your APK too.

Related

How to get google WEB API key to using in Expo sdk 32?

I'm going to make Google login with Expo sdk 32, But In documentation, There is no how to get WEB API Key to use option 'cliendID' at LoginConfig.
How to get google WEB API key to using in Expo sdk 32?
Hi I faced the same issue because it`s not so obvious what to use from the Expo docs, here it is
NOTICE: if you want to make it work with the standalone build, you need to set up REVERSE_CLIENT_ID in the app.json from GoogleService-info.plist
the instruction you can find here: point 5 https://docs.expo.io/versions/latest/sdk/google-sign-in/#setup

Generate google-services.json for firebase via API

Since we've upgraded from GCM to FCM we have a problem because the app suddenly needs a custom google-services.json and I don't seem to find a API or cli tool which enables me to add new apps and generate a new file.
Has someone found a way to automate this?
There is currently no API to generate a google-services.json. You can download it from your Firebase Console by selecting your project and then clicking to manage your Android app.

GCM Google-services.json storing api key

I am implementing GCM with android client and according to the google documentation I need to download the google-services.json and add it to the module. I notice that the google-services.json contains the api key for the project. Is it wise to include the api key in the project?
In my scenario I have to use GCM with android using AWS, in the aws documentation they are simply adding the project number for registration
http://docs.aws.amazon.com/sns/latest/dg/mobile-push-gcm.html
But in android studio when I add dependency in the build.gradle I am getting compilation error for missing google-services.json.
com.google.gms:google-services:
so my question is there a way I can skip the google-services.json in the android studio project? and if not then is it wise to include the api key in that file?
Thanks
P
As have been discussed in this thread, "google-services.json contains developer credentials and configuration settings, which is needed to verify while connecting with GoogleApiClient". However, it was also mentioned that GCM has been used before without google-services.json .

Google-cloud-messaging key not visible in console

In my app gcm server key that is being used on server is not visible on google developer console.
Hence when i am trying to use google-services.json approach to integrate analytics its resulting in creating new key and project id.
how do i get google-services.json file for existing project.
Follow this link to get a configuration file to add to your project. The configuration file provides service-specific information for your app. To get it, you must select an existing project for your app. Check this documentation.

Changing Android API Key for GCM

I have inherited a GCM application to send messages to android phones. We have an Android API Key set up that may have been compromised. I would just like to ensure that I change it in a way that doesn't break the apps that are currently running.
I think what I do is:
Create a new Android API Key here: https://console.developers.google.com/project/my-project-name/apiui/credential
Delete the existing Android API Key
As I understand it from the docs, when I create my new API Key from the last apk generated, the SHA1 I used to generate it, along with the package name, should match up to my already-deployed android apps. I should not need to re-upload an apk.
Is that correct?
Thanks!
Yes and no.
YES, if you are using OAuth 2.0, which depends only on the SHA1 and package name;
NO, if you are using API key, which usually require you to place your key in your manifest file.