Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.
I have an android application uploaded in google play store which uses Firebase for App Cloud Messaging in android. I have recently got an alert from play console that
Security alert : Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.
Could you please tell anyone to resolve this issue.
Thanks in advance.
Hi this warning would come because the google cloud platform api key you are using in your app might be exposed you have to put the restriction on this api key from Google Cloud Console.
There are two type of restriction
1. Application Restriction
2. API Restriction
Please refer below link
https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions
Related
We are getting this error message when publishing app update:
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
I can follow the instructions and restrict the API Key for Android App by entering package name and SHA-1 certificate fingerprint, but my question is will this somehow affect Google Sign In as the app is available to production.
Like for instance any issues through logging in or something ?
Still haven't tried to perform the instructions due to concerns that it might prevent Google Sign In from working
I am trying to log purchase event via Google Analytics 4 Measurement Protocol. if I read this documentation, it is said that I must have app_instance_id so I can send the data from our backend to GA4 server.
we are using Vue and Firebase Nuxt for our web app, but unfortunately, as you can see from the image below, I can't find a method to get app_instance_id
so how to get app_instance_id for web app in Firebase for web app? is it not available yet? please help
unfortunately, for now the app_instance_id is not available for web. please read the full explanation in Github from Firebase Analytics repo maintainer in here
I developed an app to test the google login feature using flutter and google authentication. The project is a closed project and only I have access to it. But recently I saw that there was a google sign in from an unknown Email ID. How did the user login without the build of my app? Has my account been hacked? What is going on?
Anyone with knowledge of your project's API Keys can access your Firebase Project using simple CURL Commands.
This is why it's a good idea to add restriction to those API Keys
In case you haven't, go to https://console.cloud.google.com and
Select your project
Click the menu icon at the top left (hamburger icon)
Go to API & Services and then credentials
You can view the APIs for your Google Cloud Project (linked to your Firebase Project) and then set restrictions for the API keys, refresh them or restrict access to specific platforms like Android or iOS.
You can also set restrictions on which components of Firebase the API key is allowed to access. For example, if your project doesn't require the use of Cloud Firestore, you can ensure that the API Key cannot be used to make calls to the Firestore Database
All said and done, I would still recommend that you shoot a mail to the Firebase Support team at https://firebase.google.com/support/troubleshooter/contact
To anyone still wondering about this:
If you provide a native google sign in and the registered
email adresses look like this:
karolynmccorkle.91842#gmail.com
normabrock.69306#gmail.com
guillermogeorge.53163#gmail.com
kylegomez.35423#gmail.com
opalbarrett.09499#gmail.com
they are probably test accounts used to generate Google Plays Pre-Launch reports.
You can read about it in the Play Console Help here.
If your app has a sign-in screen and you want the crawler to test the
sign-in process or the content behind it, you need to provide account
credentials.
Note that you do not need to provide credentials if your
app supports "Sign-in with Google,” which enables the crawler to log
in automatically.
Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
Vulnerable locations:
com.onesignal.PushRegistratorFCM->getApiKey
Affects APK version 6
enter image description here
This is a false positive and can be safely ignored. OneSignal is releasing SDK updates to prevent this warning in the future. You can find more details in this thread. https://github.com/OneSignal/OneSignal-Android-SDK/issues/970
I used firebase.auth.signInWithPopup() from this documentation. However, I am getting this warning on the popup window saying that my app isn't verified yet. See image below.
I don't know where to start from here since as far as I can remember, I can't find anything about this on the firebase auth docs. Any advice?
Google now requires apps be verified when you request certain sensitive data:
https://developers.googleblog.com/2017/07/new-security-protections-to-reduce-risk.html
Firebase is not exempt. Why should it be? Any attacker can create a Firebase account with Google provider enabled and try to phish Google users with it.
Verify your app through this link OAuth consent screen