Im going to make an app which uses Google Maps API. We all know it isn't free for searching etc.
This API KEY needs to be saved in the app code which can be reverse engineered and extracted.
What if someone uses botnet + my apk file to drain my Google Maps account?
You can see the $$ high amount bill if your API key is not restricted.
For restricting it, Follow the below steps:
To set an application restriction for an API key
Visit the credentials panel.
Select the API key that you want to set a restriction on. The API key property page appears.
Under Key restrictions, select Application restrictions.
Select one of the restriction types and supply the requested information following the restriction list.
Android apps
Add your package name and SHA-1 signing-certificate fingerprint to restrict usage to your Android app.
Below the types, add the SHA-1 signing-certificate fingersprint and your Android package name from your AndroidManifest.xml file.
iOS apps
Accept requests from the iOS app with the bundle identifier that you supply.
Below the types, select the appropriate iOS bundle identifier from the list.
Click Save.
The restriction becomes part of the API key definition after this step. If you fail to provide the appropriate details or do not click “Save”, the API key will not be restricted.
Related
I'm trying to query the Adobe Analytics API, but I'm unsure that we have the right permissions in place.
I've received confirmation thata our account has "Web service access" enabled -- however, Adobe Analytics does not appear as an option when I try to "create a project" on API via Adobe I/O. As a result, I'm blocked from actually trying out the API in that environment.
Are there any other permissions I need to request from the Admin?
Do I need to have some sort of Developer Access in place in addition to "Web service access"? Is it possible to have one without the other?
Any guidance would be a big help -- thanks
You need two things before being able to create an Analytics project and query the API: the Role of Developer (or higher), and, at a minimum, permissions for Report Suites, Metrics, and Dimensions groups.
If you're able to create a project before getting both of these, the API credentials you get (API key, Client key, etc...) won't work; you'll need to create a new project again.
This document has more detail about what's required.
Currently, I'm working with 2 apps where user can generate a payment token associated with their account. 1 uses the Secure Acceptance Hosted Checkout and the other uses Flex Microform. 1 possible case involves the user's card being captured via the Microform and then later updated via the Hosted Checkout.
The docs mention being able to replace the billing info associated with the Flex token, but it's unclear the mechanism available. I'm aware that the Hosted Checkout supports updating this info, but it's preferred to make the update without prompting the user via the Hosted Checkout so the user never needs to see the default address or require putting in their address twice. Is there an endpoint that can be uses to achieve this?
I don't know if it's the intended way of doing things for cybersource, But there is a soap service named "paySubscriptionUpdateService" in the simple order (soap) api that allowed me update the name & address on a token generated via the flex api.
You can take a look at the simple order API documentation on cybersource website - chapter 7 "Updating a subscription"
https://developer.cybersource.com/library/documentation/dev_guides/Recurring_Billing/SO_API/Recurring_Billing_SO_API.pdf
I'm sure there is a way through rest API too, I'm not sure how to do it yet. I'll circle back if I see something
When creating a new project Firebase generates browser API keys automatically in the GCP API credentials. This is the same API key that is set in the Firebase Web client SDKs and is publicly available.
By default the key has no restrictions, so it's prone to quota stealing for every API enabled for that project. Surprisingly I have not found information about securing this key in the Firebase documentation.
So I took two extra steps to secure the key:
Added HTTP referrer restriction to allow requests from my domain only.
Added Identity Toolkit API to the list of allowed APIs. Experimentally I've figured out that it's enough for Firebase Auth and Firestore to work.
Added Token Service API. This is needed for refresh tokens to work and keep the authentication.
My question is mostly related to points #2-3. What are the APIs that needs to be enabled for various components of Firebase to work on the web?
I also enabled those same two APIs, but I used the Metrics Explorer to see what the various Firebase-created keys had been using based on actual traffic.
In GCP,
Go to Monitoring -> Metrics Explorer
Click 6W in the time range above the graph
Resource Type, start typing consumed_api and select it
Metric, choose Request Count
Group By, type credential_id, select it, then type service, and select it
Aggregator, select sum
By now, the legend for the graph should list all the credential ids and which services they used in the last 6 weeks. You should be able to figure out the APIs from the service.
You can use Filter to filter by credential_id if the results are too noisy.
By default the key has no restrictions, so it's prone to quota
stealing for every API enabled for that project.
This is indeed possible and I am able to make e. g. Google Maps API call with the auto generated Firebase API key.
Such preconfigured behaviour was certainly unexpected and I am now experimenting with the restrictions as per the extra steps described in the original question.
We are trying to create a new storage bucket where its name would be dynamically created. The firebase web interface provides this capability. It appears as the admin sdk (node.js) does not.
This screen capture shows the web interface behaviour. As you hit "add bucket", a new unique bucket name is dynamically generated.
This feature could be useful in creating buckets dynamically without having the need to reuse/develop a mechanic to generate a unique names and also prevent using uids (which is usually not recommended).
Can anyone confirm our understanding is right? Any insight whether this will be release (or at least in preview) in the upcoming releases of the admin sdk?
The sdk should at least have feature parity with the web interface.
If not, I am willing to open a feature request with the Firebase team.
I am working on an alexa skill which uses an external web service which requires an API key.
I can't find for the life of me where I can add this property in so that when the user enables the Alexa skill (I haven't got as far as publishing yet but I assume there is a property I can set somewhere as well for testing) they can add their API key and I receive this within my node.js lambda function and extract it and use it for my post request to the web service.
I know there is an Amazon Account Linking Service, but the web service I am using doesn't support this type of login I believe, their API is only accessed by sending a header containing the API key. Therefore I need a way for the user to be able to store somewhere their API key so I can then post this to the web service from the lambda code.
I'm not clear on how you expect the user to 'add their API key'.
The only built-in UI is the cards that your skill can push to a user but these are very limited and can't request information from the user.
Amazon does not show the user any sort of configurable settings for the skills.
And you have noted account-linking and that it does not address your needs.
So you could either ask the user to say the API key, which would be much too error prone unless it is unusually short, or you will need to direct the user (probably via a card) to your own website where they will provide their API key.