I'm currently developing an app which is only accessible by me for now. I can already connect to Firebase but somehow I noticed that there's alot of unknown email added. I'm expecting it to have around 4 email which I have used for testing. May I know why this happened? And will this affect my app if ever I finished developing it?
Note that I didn't share/upload any info/keys that I'm using.
I was thinking that someone might have used my info/keys mistakenly that is why this happens.
If you uploaded your App to the Play Store such accounts are created by Google while they verify your app. That is normal. You don't need to worry about it.
Also see: My Firebase project has unknown users, has my google cloud service account been compromised?
Related
I have been developing an app for the last 3 years. I started seeing strange emails pop up from time to time in my Auth page. There are only 4 persons that ever had any version of the app on their phone (it is Android). I asked all of them, those email accounts were not theirs.
All the emails are authenticated via Google Auth and all have this exact structure: "name.number#gmail.com"
Example: claireortiz.65705#gmail.com
There are like 10, idk if the app got out to some people, the github repo with the app is private.
I want to make the previous versions of the app unusable, how do I regenerate all of my authentication, functions and everything else or my google-services.json so any people that previously had any versions of the app can not access this firebase project. I do not want to create a new Firebase project, I just want people that do not have the newer version of the app to not be able to connect to this project. Maybe some API keys got out somehow, I want to reset it all.
I know the question is not about programming, but I'm a bit confused
I work on the Android app and have not published or shared it with anyone and there is no other app related to the app or databases
Despite that, I find accounts that I haven't added to databases, there are people who create accounts in databases in some way.
How can I find out how they can create an account?
These are some of the accounts who created my account :
admin#sheridanbuilding.com.au
megaliceb#aol.com
lcchen93#hotmail.com
headphonejackbuisness#gmail.com
Once an account is created, there is no way to track how that happened. The APIs for dealing with Firebase Auth are effectively public, so once you enable the email/password authentication method, anyone can start using it, even outside of your app.
I am developing an Android App using Firebase. I had everything running fine up to this morning. I went to Firebase, imported the project at their new console and then I tried to add Analytics to my app.
At this point I couldn't use Google login, and I guess it was because adding Analytics I skipped to add my SHA-1 key, so the newest information at Google was that I didn't have a SHA-1 key. I didn't see that I had to whitelist my Google app which was actually login in people in my app, and that was a big mistake. Trying to solve it I begun to change things, so many that I couldn't even list them here. A short version could be:
I updated the Android SKD Manager.
I changed the dependencies for Gradle. Still not working.
I saw that I could give my SHA-1 key to Firebase, but I had a alert saying that this key was already in use by another App (the one at Google API)
In order to solve it, I deleted the credentials of my Google API App -not so good idea-
Then I used my SHA-1 key at Firebase. Still not working.
I tried to put everything as it was at the beginning, but now I cannot delete my key from Firebase. What I've done is write a random key to be able to use it at Google API.
I went to Google API and created a new credential for the App that I was using and was working fine up to this morning.
I whitelisted the App ID at my Firebase Auth settings. Still not working
Surely I have done other stuff but I don't even remember.
Now I have the following error when I try to login with Google, but also with Facebook(?!), and I haven't tried with other providers. The error says:
FirebaseLoginError = PROVIDER_NOT_ENABLED: Make sure google login is enabled and configured in your Firebase. (FirebaseError: Invalid authentication credentials provided.)
There are so many things that could lead to a problem that I have been trying to fix it during all the morning and I am still completely lost.
What should I do to restore everything as it was?
I'm making a Cordova 4.0 Android app that will be sold in Google Play, and I would like to prevent illegal use of it (for example preventing someone to extract the APK from the system and re-distributing it).
One theoretical way of doing this would be by checking that when the app is launched by the user, he did actually download it from Google Play (versus being it sideloaded). I'm not even sure if this is possible or if there's an alternate way of doing something like this.
One way that works in other cases is to use require some sort of login when accessing the app, but in this case I can't do that. Any advice would be appreciated!
Google offers a way to implement validation / licensing:
http://developer.android.com/google/play/licensing/index.html
Take a look if this is what you need!
One suggestion would be for those apps which are get connected to a server to fetch some data.
App verification token
Generate an encoded 64-bit long token and store on both device & server as well. This will be a unique token per app
Whenever app tries to connect to server, it sends the device token details. Server needs to verify it before fulfilling its request.
On specific events, server can generate a new token for a device.
Same way, device token can be mapped to a user or an app on the server side.
Token could carry some app related information, for instance.
first 4 or 6 digits represent app size
second block of digits could represent user specific or device or some other details
Or another block could hold app contents modification date
In case of any change, server could verify the app size, last app contents modification dates, etc.
Generally it is recommended to uglify, obfuscate and minimize app resources before submission.
You can use the package manager class to determine the source of an app (only google or amazon currently detected)
You can similarly use google analytics which gives same information.
This is pretty neat since Android stores the source of every package, allowing apps to know where they came from, to prevent piracy and sideloading.
Great if you always publish to google or amazon. Useless if you sideload your app.
We run a web application with a Java Script- and an Android front end. We use Google IDs with OAuth for authentication. Everything worked find until today authenticaiton suddenly stopped working. There was no new software version deployed or any operational changes. Now, when a user tries to log on via the browser application, Google issues
401. That’s an error.
Error: disabled_client
The OAuth client was disabled.
Request Details
scope=openid profile email
response_type=code
redirect_uri=https://***.net/signin-google
state=***
client_id=******.apps.googleusercontent.com
That’s all we know.
When logging in via Android App, authentication fails too, GoogleAuthUtil.getToken raises an unspecific exception.
I couldn't find much information when googling for this error message. Some say, one should try to change the application name in the consent screen. This didn't help in my case.
In developer console I noticed, that I cannot create a new Client ID for this project. I always get a technical error ("Server Error Whoops! Our Bad.") with a tracking number. Seems to be related.
I have a total of 7 Client IDs registered for this project and 3 public API access keys.
Is it possible, that Google explicitly disabled our project? That's how it actually feels. For what reason? I didn't get any notification. Our product is an application for access control, nothing special or illegal here.
Any ideas? This is a production environment, so for us the problem is absolutely severe.
Thanks for any help!
In the meantime we found out, that our Android App was removed from the Play Store and we got following notification:
This is a notification that your application, <...>, with package ID <...>, has been removed from the Google Play Store.
REASON FOR REMOVAL: Violation of the Personal and Confidential Information provision of the Content Policy.Please refer to the policy help article for more information.
We don't allow unauthorized publishing or disclosure of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, non-public contacts, or any other information that is not publicly accessible.
We are very careful about the data inside our application and we take privacy and security extremely seriously as the hole app is about security and our customer's trust is absolutely essential. However, we recently introduced a feature that periodically sends the LogCat output to our servers for debugging reasons. Our app is in an early preview state which we make clear in the app description. It's used by a very limited number of people as it can only be used with a special piece of hardware we provide. The LogCat output only contains data from the app itself, no confident data of any kind. We published a couple of related apps and not all have the feature even included but all were suspended. However, we guess that this feature is the reason for removing.
Edit
In the meantime we wrote an appeal via the form provided on Google Play. The ban was removed from Google Play and the related Google OAuth Client shortly after.
We were informed, that our App collects names of running tasks and sends them to our servers, which is not the case. However, we used the crittercism library and the crittercism docs suggest to require the "GET_TASKS" permission, what we did. I don't think, that Crittercism is considered as dangerous as it's used by lots of applications. But maybe the combination of a Logging Service on the one hand and the GET_TASKS permission on the other hand, although not dangerous in our case, triggered some automatic rules at Google.
To fix this we simply removed Crittercism and all related permission requirements as it wasn't very useful for us anyways.