android-security. - Leaked GCP API KEY - firebase

We are getting this error message when publishing app update:
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
I can follow the instructions and restrict the API Key for Android App by entering package name and SHA-1 certificate fingerprint, but my question is will this somehow affect Google Sign In as the app is available to production.
Like for instance any issues through logging in or something ?
Still haven't tried to perform the instructions due to concerns that it might prevent Google Sign In from working

Related

Firebase API Key Application Restriction Problem

I received an alarming email from Google a couple of days ago stating that:
[Action Required] Firebase services for your application are malfunctioning due to Application restrictions
I have a Vue based website that uses Firebase for Authorization of users and storing files they are uploading. When I configured the API key that I set up, I restricted this key on the application level, to only work from the address of my website.
I did not impose any API restrictions - Under API Restrictions the radio button with Don't Restrict Key is marked
Having said that, when I try to use my website, I get the following error:
[403] Requests from referer [WEBSITE] are blocked.
The email I got from Google stated that:
Firebase SDK updates on February 27, 2020 (Android) and January 14, 2020 (iOS) replaced the Firebase Instance ID service with a dependency on the Firebase Installations API.
As a result, Firebase services like Firebase Cloud Messaging will malfunction for users who installed your app after it was released with updated Firebase SDKs. Additionally, repeated failing requests to Firebase may slow down the end-user experience of your app.
Application restrictions you have applied to the API key used by your Firebase application need to be updated to allow your application to use the API key.
Inside this mail, there were the following instructions:
Open the Google Cloud Platform Console.
Choose the project you use for your application(s). Open APIs &
Services and select Credentials.
Click Edit API key for the API key in question.
Scroll down to the Application restrictions section.
Change the radio button to None, and click Save, or add your
application to the list of allowed Android apps, iOS apps, or HTTP
referrers, respectively.
If the radio button already shows None you may be looking at the
wrong API key.
You can check which API key is used for the Firebase Installations
API by looking at the service usage page for your project.
Since I do not have any API restrictions and there is also no other API key that I have, I don't understand how to solve this situation.
One option that works is having no application restrictions, but I don't think that is the correct solution.
I also tried changing the API Restrictions to allow only the services from Firebase that I am using, but that did not fix the problem.
Any help or direction to a solution, will be appreciated.

Firebase google-sign-in fails in production, Linking to Google Play: An error occurred while trying to link

I created and upload an app with google sign-in to google play, it works in debug mode and in release mode
I had to follow:
Generate SHA-1 for Flutter app
and Google sign in failed com.google.android.gms.common.api.ApiException: 10:
Which says that I need to Link Google Play to Firebase https://support.google.com/firebase/answer/6392038?hl=en
But I get the following error:
Any idea how to solve this?
My app is in production but the login fails.
My solution was:
Login to Firebase console
remove your android app
add it again
follow Generate SHA-1 for Flutter app to get your release sha-1 and add it to your app in Firebase console Google sign in failed com.google.android.gms.common.api.ApiException: 10:
remarks:
I believe the actual value of the sha-1 key didn't changed
I didn't add my debug SHA1, only release
I believe simply deleting the debug SHA1 or deleting both and re-entering only the release SHA1 would have also solved the problem, but I didn't test it
I still get the Linking to Google Play: An error occurred while trying to link but I doens't matter as long as the signing works
I guess (didnt check yet) that now my app will fail on google singin indebugmode, but I will deal with it later - I hope that simply adding thedebug` key again will work
extra info (from firebase support)
Here we have two issues: Linking play console to Firebase console, and the issue with the google-sign-in on production.
For the linking problem, note that in order to link or unlink your Play Console account to a Firebase project, you need to use the same Google account on the Play Console and Firebase console. You may also check this https://support.google.com/googleplay/android-developer/answer/6110967?hl=en for more details, if the accounts are the correct try to enable Google Analytics first which then it will allow you to link your Google Play account.
For the second issue, you could have configured the debug and release SHA-1 keys. However, you need a third key hash, when you enroll for Google Play App Signing https://medium.com/mindorks/securing-and-optimizing-your-app-with-google-play-app-signing-24a3658fd319 in play console, you basically ask google to sign your app on your behalf, in order to obtain the key you must add the app signing certificate from the Play console, and add the SHA-1 key in the Firebase console. I really encourage you to read this blog entry https://medium.com/#akashmahali/facebook-login-google-sign-in-not-working-on-android-app-in-production-5febd9537f92, there the author explains more about this error, and how to fix it.
If you have any questions, feel free to write back !

Unknown user in my firebase user authentication (Flutter/firebase)

I developed an app to test the google login feature using flutter and google authentication. The project is a closed project and only I have access to it. But recently I saw that there was a google sign in from an unknown Email ID. How did the user login without the build of my app? Has my account been hacked? What is going on?
Anyone with knowledge of your project's API Keys can access your Firebase Project using simple CURL Commands.
This is why it's a good idea to add restriction to those API Keys
In case you haven't, go to https://console.cloud.google.com and
Select your project
Click the menu icon at the top left (hamburger icon)
Go to API & Services and then credentials
You can view the APIs for your Google Cloud Project (linked to your Firebase Project) and then set restrictions for the API keys, refresh them or restrict access to specific platforms like Android or iOS.
You can also set restrictions on which components of Firebase the API key is allowed to access. For example, if your project doesn't require the use of Cloud Firestore, you can ensure that the API Key cannot be used to make calls to the Firestore Database
All said and done, I would still recommend that you shoot a mail to the Firebase Support team at https://firebase.google.com/support/troubleshooter/contact
To anyone still wondering about this:
If you provide a native google sign in and the registered
email adresses look like this:
karolynmccorkle.91842#gmail.com
normabrock.69306#gmail.com
guillermogeorge.53163#gmail.com
kylegomez.35423#gmail.com
opalbarrett.09499#gmail.com
they are probably test accounts used to generate Google Plays Pre-Launch reports.
You can read about it in the Play Console Help here.
If your app has a sign-in screen and you want the crawler to test the
sign-in process or the content behind it, you need to provide account
credentials.
Note that you do not need to provide credentials if your
app supports "Sign-in with Google,” which enables the crawler to log
in automatically.

problem when i Published my app on google

Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
Vulnerable locations:
com.onesignal.PushRegistratorFCM->getApiKey
Affects APK version 6
enter image description here
This is a false positive and can be safely ignored. OneSignal is releasing SDK updates to prevent this warning in the future. You can find more details in this thread. https://github.com/OneSignal/OneSignal-Android-SDK/issues/970

FCM Security Alert

Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.
I have an android application uploaded in google play store which uses Firebase for App Cloud Messaging in android. I have recently got an alert from play console that
Security alert : Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.
Could you please tell anyone to resolve this issue.
Thanks in advance.
Hi this warning would come because the google cloud platform api key you are using in your app might be exposed you have to put the restriction on this api key from Google Cloud Console.
There are two type of restriction
1. Application Restriction
2. API Restriction
Please refer below link
https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions

Resources