I want to secure my firabse Api keys like mentioned here: https://jsmobiledev.com/article/create-user-account-without-signup-form/ for example. For development I've a dev-Api key for localhost.
For web it's working fine with an own production-Api key, but I want to do it always for Android and iOS. But as far as I understood, capacitor apps are running on localhost and so they need a Web Api key with localhost whitelisted and the iOS key and Android key are not touched?
Thank you for bringing light into the dark here ;-)
Related
I received an alarming email from Google a couple of days ago stating that:
[Action Required] Firebase services for your application are malfunctioning due to Application restrictions
I have a Vue based website that uses Firebase for Authorization of users and storing files they are uploading. When I configured the API key that I set up, I restricted this key on the application level, to only work from the address of my website.
I did not impose any API restrictions - Under API Restrictions the radio button with Don't Restrict Key is marked
Having said that, when I try to use my website, I get the following error:
[403] Requests from referer [WEBSITE] are blocked.
The email I got from Google stated that:
Firebase SDK updates on February 27, 2020 (Android) and January 14, 2020 (iOS) replaced the Firebase Instance ID service with a dependency on the Firebase Installations API.
As a result, Firebase services like Firebase Cloud Messaging will malfunction for users who installed your app after it was released with updated Firebase SDKs. Additionally, repeated failing requests to Firebase may slow down the end-user experience of your app.
Application restrictions you have applied to the API key used by your Firebase application need to be updated to allow your application to use the API key.
Inside this mail, there were the following instructions:
Open the Google Cloud Platform Console.
Choose the project you use for your application(s). Open APIs &
Services and select Credentials.
Click Edit API key for the API key in question.
Scroll down to the Application restrictions section.
Change the radio button to None, and click Save, or add your
application to the list of allowed Android apps, iOS apps, or HTTP
referrers, respectively.
If the radio button already shows None you may be looking at the
wrong API key.
You can check which API key is used for the Firebase Installations
API by looking at the service usage page for your project.
Since I do not have any API restrictions and there is also no other API key that I have, I don't understand how to solve this situation.
One option that works is having no application restrictions, but I don't think that is the correct solution.
I also tried changing the API Restrictions to allow only the services from Firebase that I am using, but that did not fix the problem.
Any help or direction to a solution, will be appreciated.
I'm building a production hybrid mobile app that uses Firebase/Firestore. Since it's a hybrid app, I can not use the bundle ID or HTTP referrer methods to restrict the API key (Google support confirmed this is not supported).
My worry is that anyone could decompile the app and get the API key, using it with a simple Node.js script locally, and access my database.
Node.js scripts can bypass all Firestore rules, making unrestricted API keys very powerful. So far I have been unable to find a way to restrict keys with hybrid apps, including reaching out to Google support. I'm wondering if the only way to actually achieve firebase/firestore security is to use Native apps vs. Hybrid?
Actually for ios, we are not able to restrict the google api key. But, for android we have done with HTTP referrer method only.
For android it is possible.
If you are using ionic4, Please use the same origin value whatever you set in you config.xml corresponding to you android app.
I have FCM working with my app in production then I requested APNs certificates and uploaded them to development & production section in Firebase as written in the docs and everything is working as expected.
Now, I created another Firebase project which serves as a development environment, with an identical app id, but with different FCM Server key.
If I upload the same certificates I used in production to this development environment, will the FCM notifications be sent to development only or to production as well?
For APNs It does not support one certificate and two firebase projects.
It will be sent to both. I just learned the hard way.
I developing a hybrid mobile application using Cordova + Angular 2 + Ionic 2.
When using firebase Auth, when calling signInWithPopup() or signInWithRedirect() for social logins, firebase returns error "This operation is not supported in the environment this application is running on. "location.protocol" must be http or https."
There's also a number of comments on this article, about same thing: https://firebase.googleblog.com/2016/01/social-login-with-ionic_77.html
This is because the location.protocol is file:// and NOT http/s. All hybrid apps will have this issue.
Help.
It won't work
Explanation:
You are trying to connect your hybrid application to firebase using firebase web SDK, so firebase is not allowing to connect.
web SDK is allowed for only HTTP and https based applications
So to connect, use mobile app SDK(there is separate SDK for android and IOS)
If you are using expo to build your application, the recommended way is to use the signInWith UserName and password.
Advanced solution: you need to change the babel config correspondingly
I have developed an app for an open source home security solution (ZoneMinder). The app I developed is called zmNinja (open source again) - and it works rather well. I am now implementing a mechanism to push notifications (motion detection alarms) to people who will use the app.
After going through the APNS and GCM documents, it looks like the "server" which sends the push to devices must integrate with SSL certificates and API keys generated from Apple and/or iOS. And this, specifically for apple requires a developer account.
Therein lies the predicament. Users of 'zoneminder' install their own servers. There is no central server. I've developed a event server that works with 'zoneminder' on web sockets that can be installed along with zoneminder and it sends notification when there are new alarms. This works very well on Android because Android allows the web socket to be open in background but iOS kills it (I can't treat the socket as VoIP/Location/content-news as its none of the above). Hence I am thinking of how to support APNS in the server. In other words, even if I can't do GCM for Android, there is still a way to receive alarms. No such joy for iOS users.
The problem is that like I described above, I won't be hosting the server. The users of the app will own their own server.
Given this, is there any way to support push notifications in IOS without requiring everyone who has their own servers to have apple developer accounts? I assume I can't give my certificates to them either as that would compromise my account.
Thanks