Android Place SDK restricted API key is not working - android

I know that place API requires server key to use but I am using place SDK for android. I am using restricted Android API key (Restricted using package name and SHA1) but it is giving me below error:
This IP, site or mobile application is not authorized to use this API
key. Request received from IP address 203.122.438.42, with empty
referer
For reference, I am pasting my code below:
public PlacesSearchResponse fetch(com.google.maps.model.LatLng location) {
PlacesSearchResponse request = new PlacesSearchResponse();
GeoApiContext context = new GeoApiContext.Builder()
.apiKey(BuildConfig.MAPS_API_KEY)
.build();
try {
request = PlacesApi.nearbySearchQuery(context, location)
.radius(5000)
.keyword("Shivam")
.type(PlaceType.BAKERY)
.await();
} catch (Exception e) {
e.printStackTrace();
} finally {
return request;
//Log.d("==", "=====" + request.results[0].name);
}
}
Dependency I am using:
> //To get near by locations
> implementation 'com.google.maps:google-maps-services:0.18.0'
> implementation 'com.squareup.okhttp3:okhttp:4.9.0'

You are not using Places SDK for Android. As far as I can see from your code you are using a Java wrapper for Google Maps web services. Web services are always intended to be used on server side and the only restriction that they accept is an IP address restriction on API key.
Have a look at this Java library in github (https://github.com/googlemaps/google-maps-services-java) and pay attention to the documentation, especially "Intended usage of this library" section. It states
The Java Client for Google Maps Services is designed for use in server applications. This library is not intended for use inside of an Android app, due to the potential for loss of API keys.
If you are building a mobile application, you will need to introduce a proxy server to act as intermediary between your mobile application and the Google Maps API Web Services. The Java Client for Google Maps Services would make an excellent choice as the basis for such a proxy server.
So, as you can see, the suggested by Google solution is introducing an intermediate proxy server where you can use this library with an API key restricted by IP address of your intermediate proxy server.

Related

Can I use my Android API key when making http request to Google Map API?

I have created an API key for my Android app like this in the Google Cloud Platform console
and then I use that Android API key to make request to Google Map API (reverse geocoding) to this endpoint below using HTTP client like retrofit or Dio (directly from my Android client app)
https://maps.googleapis.com/maps/api/geocode/json?key=AIzaSyCxxxxxxxxxxxddgaQTwwlYDBmP8&latlng=-6.150934,106.8251672
but unfortunately I get error json response from Google:
This IP, site or mobile application is not authorized to use this API
key. Request received from IP address 180.111.11.111, with empty
referer
Can I use my Android API key when making http request from my Android client App to Google Map API? what should I do to make request to Google Map API from my Android client app? should I make my own endpoint as a 'wrapper' instead?
Can I use my Android API key when making http request from my Android client App to Google Map API?
No. Instead of using two keys, you should make a call through the SDK, https://developer.android.com/reference/android/location/Geocoder.
See this answer.
Geocoder geoCoder = new Geocoder(context);
List<Address> matches = geoCoder.getFromLocation(latitude, longitude, 1);
Address bestMatch = (matches.isEmpty() ? null : matches.get(0));

Getting a Google Speech API access token for a production Android app

I'm using the Google Speech API in an Android app. The README states:
In this sample, we load the credential from a JSON file stored in a raw resource folder of this client app. You should never do this in your app. Instead, store the file in your server and obtain an access token from there.
Are there any samples regarding how to properly obtain an access token for a production app?
From what I've gathered, it seems that I can use Application Default Credentials provided via Compute Engine or GAE, but I have no idea how to actually respond with an access token to my app.
I'm the author of the sample.
Here's the part that should be on the server side. Basically, you have to store the JSON file securely on your server side, and fetch a new access token when you get a request from your mobile app. Mobile app should always talk with your server to get an access token. This way, you don't need to put your service account key in the APK.
// In response to a request from a mobile client
// Open the JSON file stored on the server side.
final InputStream stream = ...;
try {
// Initialize the credentials
final GoogleCredentials credentials =
GoogleCredentials.fromStream(stream)
.createScoped(SCOPE);
// Fetch a new access token.
final AccessToken token = credentials.refreshAccessToken();
// Return the token to the mobile app.
} catch (IOException e) {
// Maybe report this as an HTTP error.
}
If you don't use Java on your server side, you can find a client library for the language you use at Google Cloud Client Libraries.
Refer to Google Cloud Platform Auth Guide for basics about how to send requests from your backend to the API.
For Android, you might instead want to use the Android sample for Google Cloud Speech as the Cloud client library does not currently focus on Android support.

Why is my api key not accepted by the Google Directions (Android) request?

Whenever I include my Google Play Services API key along with my request for Google Directions like in the code below:
private String makeDirectionsURL(double originLat, double originLong, double destLat, double destLong)
{
StringBuilder url = new StringBuilder();
//first part of url//
url.append("https://maps.googleapis.com/maps/api/directions/json?");
//start adding parameters//
//origin coordinates
url.append("origin="+originLat+","+originLong);
//destiniation coordinates
url.append("&destination=");
url.append(destLat+","+destLong);
//api key
url.append("&key=");
url.append(getResources().getString(R.string.google_api_key));
//NOTE: for some reason, the request suceeds when leaving out the api key
return url.toString();
}
When I include the api key as a parameter in the request, the json response shows that my request has been denied. The response reads:
{
"error_message" : "This IP, site or mobile application is not authorized to use this API key.",
"routes" : [],
"status" : "REQUEST_DENIED"
}
Yet the same api key works for my google map view - and my api console registers the accesses for the map view quota limit. Even odder yet, when I leave out the key parameter in the Directions request I get a valid JSON response.
I have a feeling that I have to generate another different api key for just the Google Directions service - but I'm not sure how to. The documentation here:
https://developers.google.com/maps/documentation/directions/#api_key
Says to visit the console and activate the Directions API service - I did.
Then it says my api key "will be available from the API Access page, in the Simple API Access section. Directions API applications use the Key for server apps." Now is where I'm confused - how can I use the key for server apps if I am accessing from a mobile device - I'm assuming this is for any webpages that wish to use the service - but what do I do for an android app. As I said, I already tried using my Simple API Access key for Android apps, which I know works, yet when I pass the same key to Google Directions - it mysteriously doesn't work...
Any help, vague guidance, or links to read up on would be really appreciated.
PS: If I can't figure this out - am I allowed to keep sending requests w/o a api key?
I think the issue is because you are trying to pass a server key which is directly tied to your server's IP address, when you should be passing an android app key.
In your Google APIs console, navigate to API's and Auth. From here you can create a new public API key.
When prompted, select Android Application
You will need to enter your device's SHA1 Certificate Fingerprint
This comes from the keystore used to sign the apk. When running an app in debug, you will most likely be using your IDE's debugging keystore. Google has a nice write up on how to get this information.
When releasing the app, you will need to sign it with your own key. You will either need to edit your API key to the new keystore SHA1 fingerprint or create a new API key.
Additionally, according to Google, you should be using a key.
All Directions API applications should use an API key. Including a key
in your request:
Allows you to monitor your application's API usage in the APIs
Console. Enables per-key instead of per-IP-address quota limits.
Ensures that Google can contact you about your application if necessary.
While I can't comment on how strictly they enforce this, I strongly encourage you to do so to avoid any issues down the road.

Protecting my Google App Engine API Endpoints

I have been doing a lot of research recently on securing my app engine. Currently, I've been reading through the question below and the links in that question:
How do I restrict Google App Engine Endpoints API access to only my Android applications?
However, it doesn't answer my problem. My question is similar to the question above, restricting access to my endpoint API to only my app. The guy seemed to have got it working when he inputs a correct email into the credentials.
My question is if I can achieve the same results without having to input any credentials. I want it so that only my app can use my endpoint API so to prevent other apps from abusing it and using up my quota. I already got a client id for my android application, and have placed it within my #API annotation. To test if it worked, I made a random value for the client id in the #API notation of another api class. However, my app was still able to use methods from both class. Any help?
-Edit-
From reading from the docs and researching further, the endpoint way of authorizing apps is by authenticating the user and for my API to check if user is null. My question is that in the process of authenticating the user, is Google somehow able to read my app's SHA1 fingerprint and authorize it to its list of client ids? If so, how can I replicate this process in my endpoint so that I check the SHA1 fingerprint of the app making the request and compare it to a set value? I don't understand the mechanics behind the endpoints very well, so correct me if I am understanding this wrong.
If the android app has access, then the user has access. A motivated party has many options for inspecting your protocol, including putting the device behind transparent proxy or simply running the app through a debugger. I do suggest running your app through ProGuard before publishing, as this will make the process [a bit] more difficult.
Ultimately, you'll need to make your appengine API robust against untrusted parties. This is simply the state of the web.
How you can protect your endpoint API is described here: http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
The secret is that you request a token from Google Play using the following scope: audience:server:client_id:9414861317621.apps.googleusercontent.com where 9414861317621.apps.googleusercontent.com is your ClientId.
Google Play will look up the id at your endpoints app and return a Google-signed JSON Web Token if it finds the id. Then you pass that id in with your request. Above article says you should pass it in with the body. I would possibly rather add another parameter for that because otherwise you can't pass your own entities anymore. Anyway, your server backend receives the token, and you ask Google as described if it is authentic, before you process the API request.
If you pass in the token using an extra parameter, you can catch it on the server side by adding HttpServletRequest to your endpoint signature and then using request.getHeader("Yourname") to read it out. Make sure you never add the parameter as a URL parameter as it may be logged somewhere.
public void endpointmethod(
// ... your own parameters here
final HttpServletRequest request
) throws ServiceException, OAuthRequestException {
request.getHeader("YourHeaderName") // read your header here, authenticate it with Google and raise OAuthRequestException if it can't be validated
On the Android side you can pass in your token when you build the endpoint api, like this, so you don't have to do it with each and every request:
Yourapiname.Builder builder = new Yourapiname.Builder(AndroidHttp.newCompatibleTransport(), getJsonFactory(), new HttpRequestInitializer() {
public void initialize(HttpRequest httpRequest) {
httpRequest.setHeader(...);
}})
Hope this helps you make your endpoints API secure. It should.

How do I restrict Google App Engine Endpoints API access to only my Android applications?

I am an Android developer building my first Google App Engine (java) back-end for my apps. I don't want anybody else to access this API other than my app. (I plan to use App engine for verifying InApp purchases in my Android app). My data is not relevant to users so,
I don't want users to be able to access my API even if they are logged in with their Google accounts (on web or Android devices).
I followed the steps mentioned in - "Specifying authorized clients in the API backend"
(https://developers.google.com/appengine/docs/java/endpoints/auth)
like generating client IDs and add them in #Api (clientIds and audiences)
except "Add a User parameter" - since I don't need user authentication.
Then I deployed App engine and I am still able to access the API through API explorer (https://your_app_id.appspot.com/_ah/api/explorer)
(I haven't added API_EXPLORER client ID)
I tested with the APK that was built with the endpoint libs before adding client IDs and can still access the API.
Is adding a "User parameter" to all endpoint APIs a must? to achieve my purpose (restrict API to only my Android apps).
Can I pass null as userAccount name from Android client and ignore user parameter value on server (since it will be null)? Will this ensure that the API is accessible only from my android apps (since the client ID is generated for my package name and SHA1 of the APK?)
Should I use something like a service account for this purpose?
The documentation says for Android, both Android and Web client IDs must be added and audience must be the same as web client ID. Does this open access to any other web client? can I skip mentioning web client ID and still achieve my purpose?
Appreciate your time and help.
...... updating with my further investigation ...
I did the following:
Added User parameter to APIs on backend - but did not check for null value. API can still be accessed without passing any credentials (from Android debug APK and API explorer)
Then, I tried
mCredential = GoogleAccountCredential.usingAudience(this, "server:client_id:" + WEB_CLIENT_ID);
mCredential.setSelectedAccountName(null);
and passed this credential to API builder (as suggested in some other posts)
Caused FATAL EXCEPTION. So, we can't pass null account name.
I could call the API using API explorer without OAuth. But when I enabled OAuth, it gave error saying this client ID is not allowed! ( I haven't yet added com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID in client_ids{})
Then I added code to throw OAuthRequestException on the backend if the user is null. This resulted in API explorer getting errors without OAuth. It works with OAuth enabled after adding API_EXPLORER_CLIENT_ID to client_ids)
Added code to pass valid user account name(email) from my Android app. Then, I am able to access API only with my release APK. Even the debug APK gets exceptions! - which is what I expected..So, I assume no other Android apps will be able to access this API.
So, not checking for null user on back-end API is a bad idea (as suggested in other posts). It is as good as not mentioning any client_ids and not having User param.
Only question I have at this moment is: If some one can figure out the WEB_CLIENT_ID from the APK, will they be able to use it to build a web client to access my API (I haven't mentioned client secret anywhere in the code. So I am thinking this is not possible).
I did search Google groups and Stackoverflow, but still it is not clear.
(Authenticate my “app” to Google cloud endpoints not a “user”)
Authenticate my "app" to Google Cloud Endpoints not a "user"
(How do I protect my API that was built using Google Cloud Endpoints?)
How do I protect my API that was built using Google Cloud Endpoints?
(Restrict access to google cloud endpoints to Android app)
Restrict access to google cloud endpoints to Android app
I had a similar issue, not between Android and App Engine, but between a separate server and App Engine. The way I handled it was to add a signature hash field as a parameter to each API call. If the request had an improper signature, it would be denied.
For example, suppose your API end-point is example.com/api/do_thing?param1=foo. I would hash the entire url, along with a secret key, and then append the result of the hash to the request: example.com/api/do_thing?param1=foo&hash=[some long hex value].
Then, on the server side, I would first remove the hash from the url request, then run the hash on everything that was remaining. Finally, you check whether the calculated hash matches the one that was sent with the request and if they don't, you can deny the request.
It is very important however that your secret key remain secret. You have to be careful with this on Android because someone could attempt to decompile your APK.
Facing the same problem than you ! Authenticate Android End point without Google User Account is just impossible !
So here is my way to resolv this problem, without any user interaction (Maybe not the right but that works, and you've got strong authentication (SHA1 + Google Account)):
HERE IS MY ANDROID CODE
Get and Build Valid Credential
//Get all accounts from my Android Phone
String validGoogleAccount = null;
Pattern emailPattern = Patterns.EMAIL_ADDRESS; // API level 8+
Account[] accounts = AccountManager.get(context).getAccounts();
for (Account account : accounts) {
if (emailPattern.matcher(account.name).matches()) {
//Just store mail if countain gmail.com
if (account.name.toString().contains("gmail.com")&&account.type.toString().contains("com.google")){
validGoogleAccount=account.name.toString();
}
}
}
//Build Credential with valid google account
GoogleAccountCredential credential = GoogleAccountCredential.usingAudience(this,"server:client_id:301991144702-5qkqclsogd0b4fnkhrja7hppshrvp4kh.apps.googleusercontent.com");
credential.setSelectedAccountName(validGoogleAccount);
Use this credential for secure calls
Campagneendpoint.Builder endpointBuilder = new Campagneendpoint.Builder(AndroidHttp.newCompatibleTransport(), new JacksonFactory(), credential);
HERE IS MY API BACKEND CODE:
API Annotation
#Api(
scopes=CONSTANTES.EMAIL_SCOPE,
clientIds = {CONSTANTES.ANDROID_CLIENT_ID,
CONSTANTES.WEB_CLIENT_ID,
com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
audiences = {CONSTANTES.ANDROID_AUDIENCE},
name = "campagneendpoint",
version = "v1"
)
Method code:
public Collection<Campagne> getCampagnes(#Named("NumPortable")String NumPortable, User user) throws UnauthorizedException {
if (user == null) throw new UnauthorizedException("User is Not Valid");
return CampagneCRUD.getInstance().findCampagne(NumPortable);
}
For the moment, it only works on Android (I don't know how we gonna do on IOS..)..
Hope It will help you !
Google provides ways to do this for Android, web and iOS
The steps involves:
Specifying a client Id for apps you want to allow to make requests to your API
Adding a User parameter to all exposed methods to be protected by authorization.
Generating the client library again for any Android clients
Redeploying your backend API.
Updating the regenerated jar file to your Android project for your Android client.
These steps are laid out in clear detail on Google's Using Auth with Endpoints and also on this blog
Facing the same problem, here are the result of my research :
Added Android cliend id with SHA1 fingerprint in Google console
Use of it in the API annotation
BUT :
If i dont add user parameter to methods : the check about android app client id does not work
If I add the USER parameter but do not ask the user to choose its google account to create the credential ... also it does not work ...
Conclusion : It seems to be mandatory to connect a user account for the check about the app client id to be executed ... I really do not understand why because no link exist between the 2 processes
Access this site
Choose your project, go to credentials section
Create a new api key
Create a new android key
Click on "Edit allowed android applications" and enter your SHA1 key; your android package name
Let me know if this solves the issues.

Categories

Resources