Changing Android API Key for GCM - google-cloud-messaging

I have inherited a GCM application to send messages to android phones. We have an Android API Key set up that may have been compromised. I would just like to ensure that I change it in a way that doesn't break the apps that are currently running.
I think what I do is:
Create a new Android API Key here: https://console.developers.google.com/project/my-project-name/apiui/credential
Delete the existing Android API Key
As I understand it from the docs, when I create my new API Key from the last apk generated, the SHA1 I used to generate it, along with the package name, should match up to my already-deployed android apps. I should not need to re-upload an apk.
Is that correct?
Thanks!

Yes and no.
YES, if you are using OAuth 2.0, which depends only on the SHA1 and package name;
NO, if you are using API key, which usually require you to place your key in your manifest file.

Related

Flutter REST API Security

I'm using REST API key in my flutter project in lib folder so is there any chance for someone to decompile the apk and see my API key? Is it secured?
Can a user decompile the apk and get rest api key and write into my database by postman or sth like that?
If you don't share your APK which is generated in debug mode, it won't be easy to access your API key. You should always consider building your APK in release mode. And you can obfuscate your APK too.

Google API key security for iOS apps

TLDR:
Does Google check the validity of an iOS app's bundle identifier when restricting the API key to a specific iOS app?
Or is it possible for anyone to mimic the bundle ID in order to launch an attack?
If the latter is false, why not include the API key in the iOS app?
UPDATE 1:
I'm guessing Google doesn't check for Team ID?
Apple Glossary
App ID A string that identifies one or more apps from a single team. An App ID consists of a bundle ID search string preceded by the Team ID, a 10-character string generated by Apple to uniquely identify a team.
I need some directions... (pun intended)
Say I'm building an iOS app that needs to consume the Google Directions API.
Google suggests to "proxy the web service via your server when you're using the API in a mobile app, to protect your API key".
In my project settings in Google Console (API Manager -> Credentials etc) I can restrict the API key to only iOS apps with my bundle identifier (com.example.MyApp).
Since I don't need a server, what's the worse that can happen if I include the key in the app?
The only thing I can think of right now is someone steals the API key and builds an app faking my bundle ID (or even fake the iOS host itself) and fires "unlimited requests" to bring down my service/make me pay a lot of money.
Is this possible?
And if it is, couldn't he do the same even if I hid the API key in the server? Just call my server instead of the API directly.
So what's the gain of having a server in that case?
And would the only solution to prevent this abuse be to require authentication and rate limit each user?
But couldn't then someone create "unlimited" random accounts?!
Do I use captcha?
By then the UX has become pretty awful, especially since authorisation is not even required for my app...
Is there a solution to this, or do I just choose the simplest solution (include the key in the app) and hope for the best?

Does upgrading GCM preserve the current API Key in use?

I am upgrading a project that has an older version of GCM (7.5) to the latest version of GCM (9.2). The current project already has a server API key and that key is in use to send push notifications to current users of the app. My specific question is if we generate the JSON configuration file for the current app with it re-create(create a new API key) or over-write the current API key we have in use? We would like to avoid having to do that if possible.
Thank you in advance for any clarity that can be provided.
I haven't experienced upgrading a lower version of GCM to a higher version, but to test this out, I tried importing a Google Project to the Firebase Console (so its like GCM to FCM), keeping in check the current Server Key.
After successfully importing the project to Firebase, the Server Key from before is retained, and can be seen being used in the Firebase Console. So I think the same behavior can also be expected when upgrading a lower GCM version to a higher version.
I also don't see why the Server API key would re-generate if the GCM project is upgraded.
Though I'm not entirely sure. Hope this helps somehow. Cheers!

GCM Google-services.json storing api key

I am implementing GCM with android client and according to the google documentation I need to download the google-services.json and add it to the module. I notice that the google-services.json contains the api key for the project. Is it wise to include the api key in the project?
In my scenario I have to use GCM with android using AWS, in the aws documentation they are simply adding the project number for registration
http://docs.aws.amazon.com/sns/latest/dg/mobile-push-gcm.html
But in android studio when I add dependency in the build.gradle I am getting compilation error for missing google-services.json.
com.google.gms:google-services:
so my question is there a way I can skip the google-services.json in the android studio project? and if not then is it wise to include the api key in that file?
Thanks
P
As have been discussed in this thread, "google-services.json contains developer credentials and configuration settings, which is needed to verify while connecting with GoogleApiClient". However, it was also mentioned that GCM has been used before without google-services.json .

Google API Key for every possible App

So i'm building an app on appcelerator that uses Google Maps API to show some information on Maps (for android).. I've read all the tutorials, and instructions from Google Developers Console about requesting an API Key. As far as I know, an API Key depends on a SHA1 Fingerprint of the keystore you're using to test your app. That's just fine, I got my API Key and everything works on my Development environment.
The problem is that my boss, at the moment of testing, can't get to see the maps, I think cause his "dev_keystore" SHA1 defers from mine, so there must be an Authentication problem. (that i know right)
But what bothers me the most is that there is another app that he (or someone on his team) builded, I get that app to my development environment, runs it with his API Key, and it works... even using my dev_keystore i guess...
So my question is: is it possible to create an API Key that works on every environment, regarthless the key_store SHA1 and stuffs ? I mean, how in hell is that API Key configured that works fine on my computer, as well as in his.?
Ok, i figured out what's going on.. The default keystore that comes with titanium studio is the same for every installment of it. So the other developers might have (and the did) created an API Key for those apps with the default keystore, and that's why it is working on every environment.
I bet that when my boss tries to publish that app, it will not work at all. he'll need to create a more app-related API Key, but that's another story to tell.