problem when i Published my app on google - android-security

Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
Vulnerable locations:
com.onesignal.PushRegistratorFCM->getApiKey
Affects APK version 6
enter image description here

This is a false positive and can be safely ignored. OneSignal is releasing SDK updates to prevent this warning in the future. You can find more details in this thread. https://github.com/OneSignal/OneSignal-Android-SDK/issues/970

Related

android-security. - Leaked GCP API KEY

We are getting this error message when publishing app update:
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
I can follow the instructions and restrict the API Key for Android App by entering package name and SHA-1 certificate fingerprint, but my question is will this somehow affect Google Sign In as the app is available to production.
Like for instance any issues through logging in or something ?
Still haven't tried to perform the instructions due to concerns that it might prevent Google Sign In from working

Firebase API Key Application Restriction Problem

I received an alarming email from Google a couple of days ago stating that:
[Action Required] Firebase services for your application are malfunctioning due to Application restrictions
I have a Vue based website that uses Firebase for Authorization of users and storing files they are uploading. When I configured the API key that I set up, I restricted this key on the application level, to only work from the address of my website.
I did not impose any API restrictions - Under API Restrictions the radio button with Don't Restrict Key is marked
Having said that, when I try to use my website, I get the following error:
[403] Requests from referer [WEBSITE] are blocked.
The email I got from Google stated that:
Firebase SDK updates on February 27, 2020 (Android) and January 14, 2020 (iOS) replaced the Firebase Instance ID service with a dependency on the Firebase Installations API.
As a result, Firebase services like Firebase Cloud Messaging will malfunction for users who installed your app after it was released with updated Firebase SDKs. Additionally, repeated failing requests to Firebase may slow down the end-user experience of your app.
Application restrictions you have applied to the API key used by your Firebase application need to be updated to allow your application to use the API key.
Inside this mail, there were the following instructions:
Open the Google Cloud Platform Console.
Choose the project you use for your application(s). Open APIs &
Services and select Credentials.
Click Edit API key for the API key in question.
Scroll down to the Application restrictions section.
Change the radio button to None, and click Save, or add your
application to the list of allowed Android apps, iOS apps, or HTTP
referrers, respectively.
If the radio button already shows None you may be looking at the
wrong API key.
You can check which API key is used for the Firebase Installations
API by looking at the service usage page for your project.
Since I do not have any API restrictions and there is also no other API key that I have, I don't understand how to solve this situation.
One option that works is having no application restrictions, but I don't think that is the correct solution.
I also tried changing the API Restrictions to allow only the services from Firebase that I am using, but that did not fix the problem.
Any help or direction to a solution, will be appreciated.

How to disable reCaptcha in firebase phone-auth (OTP) android?

I've updated the firebase library recently and didn't change anything else.
implementation 'com.google.firebase:firebase-auth:20.0.1'
implementation 'com.google.firebase:firebase-messaging:21.0.0'
implementation 'com.google.firebase:firebase-storage:19.2.0'
implementation 'com.google.android.gms:play-services-auth:19.0.0'
but whenever a user tries to signup, a Recaptcha is showing for a few seconds and then sometimes redirects to a web browser (CustomChromeTab) after that OTP is received from firebase auth. It takes about 15-30 seconds. How to prevent the Recaptcha? However, I added the SHA1 and SHA256 in the firebase console and have not changed the code. Thanks.
Here is the screenshot of the captcha verification process:
Most of the times while implementing dependencies like:
implementation 'androidx.browser:browser:1.2.0'
the above window pops-up in the browser.
Here, is a way to resolve it successfully.
Step 1-
In the Google Cloud Console, enable the Android DeviceCheck API for your project. The default Firebase API Key will be used, and needs to be allowed to access the DeviceCheck API.
Step 2-
If you haven't yet specified your app's SHA-256 fingerprint, do so from the Settings Page of the Firebase console. Refer to Authenticating Your Client for details on how to get your app's SHA-256 fingerprint.
Hope it works!!!
For more information, you can also check Google SafetyNet API for checking Google Play Services installation in device at the time of Phone Authentication.
Also, need to perform additional steps:
Firebase Project Settings > App check > and Register firebase project in SafetyNet and Play Integrity register with default time token 1 hour.
Don't forget to go in Firebase Project Settings > App check > and Register firebase project in SafetyNet and Play Integrity register with default time token 1 hour and u will remove reCaptcha from phone auth OTP!
Try this alternative method to disable reCaptcha
mAuth = FirebaseAuth.getInstance();
// set this to remove reCaptcha web
mAuth.getFirebaseAuthSettings().setAppVerificationDisabledForTesting(true);
because I've been following Mohd Asim answer, and it doesn't work.
In order to remove the captcha verification, you have to do this in Google cloud console.
IMPORTANT (you may have done that, but for the reminder):
Add the SHA1 and SHA256 of your project (see how to get) in the firebase project setting page (See how to set).
Go to the Library page in the Google APIs Console.
In the search bar type "Android Device Verification", and select the Android Device Verification box (API). The Android Device Verification API dashboard screen appears.
If the API isn't already enabled, click Enable. Hope here your problem solves and if not then proceed further.
If the Create credentials button appears, click on it to generate an API key. Otherwise, click the All API credentials drop-down list, then select the API key that's associated with your project that has enabled the Android Device Verification API.
In the sidebar on the left, click Credentials. Copy the API key that appears.
Use this API key when you call the attest() method of the SafetyNetClient class.
For more information read this official page - https://developer.android.com/training/safetynet/attestation
go to google cloud console
Select project it should be same project in which firebase is running and make sure you have added sha-1 and sha-256 of both debug and release version and put updated google-services.json file in your app.
search android device verification
click on enable
5.done

Firebase google-sign-in fails in production, Linking to Google Play: An error occurred while trying to link

I created and upload an app with google sign-in to google play, it works in debug mode and in release mode
I had to follow:
Generate SHA-1 for Flutter app
and Google sign in failed com.google.android.gms.common.api.ApiException: 10:
Which says that I need to Link Google Play to Firebase https://support.google.com/firebase/answer/6392038?hl=en
But I get the following error:
Any idea how to solve this?
My app is in production but the login fails.
My solution was:
Login to Firebase console
remove your android app
add it again
follow Generate SHA-1 for Flutter app to get your release sha-1 and add it to your app in Firebase console Google sign in failed com.google.android.gms.common.api.ApiException: 10:
remarks:
I believe the actual value of the sha-1 key didn't changed
I didn't add my debug SHA1, only release
I believe simply deleting the debug SHA1 or deleting both and re-entering only the release SHA1 would have also solved the problem, but I didn't test it
I still get the Linking to Google Play: An error occurred while trying to link but I doens't matter as long as the signing works
I guess (didnt check yet) that now my app will fail on google singin indebugmode, but I will deal with it later - I hope that simply adding thedebug` key again will work
extra info (from firebase support)
Here we have two issues: Linking play console to Firebase console, and the issue with the google-sign-in on production.
For the linking problem, note that in order to link or unlink your Play Console account to a Firebase project, you need to use the same Google account on the Play Console and Firebase console. You may also check this https://support.google.com/googleplay/android-developer/answer/6110967?hl=en for more details, if the accounts are the correct try to enable Google Analytics first which then it will allow you to link your Google Play account.
For the second issue, you could have configured the debug and release SHA-1 keys. However, you need a third key hash, when you enroll for Google Play App Signing https://medium.com/mindorks/securing-and-optimizing-your-app-with-google-play-app-signing-24a3658fd319 in play console, you basically ask google to sign your app on your behalf, in order to obtain the key you must add the app signing certificate from the Play console, and add the SHA-1 key in the Firebase console. I really encourage you to read this blog entry https://medium.com/#akashmahali/facebook-login-google-sign-in-not-working-on-android-app-in-production-5febd9537f92, there the author explains more about this error, and how to fix it.
If you have any questions, feel free to write back !

FCM Security Alert

Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.
I have an android application uploaded in google play store which uses Firebase for App Cloud Messaging in android. I have recently got an alert from play console that
Security alert : Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.
Could you please tell anyone to resolve this issue.
Thanks in advance.
Hi this warning would come because the google cloud platform api key you are using in your app might be exposed you have to put the restriction on this api key from Google Cloud Console.
There are two type of restriction
1. Application Restriction
2. API Restriction
Please refer below link
https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions

Resources