I want to use googleplus API for my Android application.
Can I share my googeplus Client ID and API keys in menifest.xml file without any security being compromised?
Can somebody do some malicious activity using this information?
They could exhaust your API call quota by impersonating your app. Then your app will stop working (either temporarily or permanently if they ban your key). That said, for your app to work, they need to be inside the app, so you have to put them there. You might try to obfuscate them somewhat to make them less obvious.
There's a better way to setup client authentication in Android than using the simple API key. Full instructions are available from the Google+ Platform for Android page. At a high level, the following steps are taken:
Create a client ID for Android using your package name and a signing fingerprint from your Android keystore. This will protect your application because only you can sign your apps.
Use the Google Play Services SDK to perform operations against the Google+ API.
You will not need to authenticate in the same sense that you would for Web applications because your package and its certificate are sufficient to identify your application. For this reason, you will need a unique package per application.
Related
I'm just getting started with using the Google Drive REST API in an Android app. (I can't use the Google Drive API for Android because the app needs to share files, and perhaps a few other things, that GDAA doesn't support.) I'm stuck on a couple of points.
The first has to do with OAuth2.0 credentials. I went through the Android quick start example and it works fine. I set up a project on my Google developer console and generated an OAuth2.0 client ID and secret and also downloaded the JSON credentials file. However, the quick start example doesn't show how to plug any of this into the app. The only thing I found in the docs that seems relevant is GoogleClientSecrets, but I don't see anything about how to use that in an Android app. (The Java quick start example uses this, but it's not integrated with Android's account manager and doesn't seem right for an Android app.) When I run the Android version of the quick start app, no activity shows up on my developer console, which suggests to me that the app is running in some sort of anonymous mode. As I understand it, that would limit the app to a very low daily quota of transactions.
Second, I noticed that the GDAA and the REST API for JavaScript both have nice file picker APIs. I couldn't find anything similar in the Java/Android API.
So here are my specific questions:
How do I use my app's OAuth2.0 credentials from the developer console in a REST API for Android Java app? I feel like I'm just missing something obvious.
Is there a file picker API for the Google Rest API for Android?
After stepping through the library as I executed the Quickstart example (a painful process, as there is no source code), I discovered the answer. It turns out that you need to specify the client ID in the manifest. Specifically, you needs the following under the <application> tag:
<meta-data
android:name="com.google.app.id"
android:value="app ID from your API console"/>
Once this entry is in the manifest, then when the app uses the Google Drive REST API to interact with Google's servers, the transaction is correctly logged as traffic in your app's console. Without this entry, the app seemed to work in my testing, but no traffic was logged. I seem to recall (from an old Google I/O video) that such "anonymous" apps still work, but have a very low usage quota (something like 10 or 100 queries/day).
For those who are curious, I found this key in the class com.google.android.gms.common.internal.zzz, found in the play-services-basement-10.2.0 library.
Save the client_id.json file downloaded from the Google API console into into your app's src/main/res directory.
I was stuck exactly the same, but after I built my app with the file included the Google API started working.
How do I use my app's OAuth2.0 credentials from the developer console in a REST API
The pages around https://developers.google.com/android/guides/api-client give you all that you need to know. In particular, note the Java Quickstart you were using is for generic Java. The way Google Play Services on Android manage credentials and accounts is very Android-specific.
Is there a file picker API for the Google Rest API for Android?
Not that I know of, but depending on your use case, you might be able to use the GDAA picker. Ultimately, both GDAA and the Java REST API are layers above your Drive storage.
When we create Google Maps API key for Android Application.We can easily generate a API key by choosing the project Create credentials-->API key.There is option for RESTRICT key for which we have to give SHA1 with package name.What is the difference in betwwen it? And which one to follow?
For example, Restrict to android app, only application with specific sha1 and packagename can use your api key, similar to iOS apps (only specific bundle identifiers), IP address, web url. You can reduce the impact of a compromised API key.
So, you should create different api key for each platform
Refer to the link below: https://support.google.com/googleapi/answer/6310037?hl=en
API key is a unique string that allow google to identify who is requesting access to platform and verify that they have permission to do so.
Restrict key is optional but highly recommended since it helps to keep your account secured prevent malicious user for your project.
You can assign any number of restriction to the API key for your security purpose and it depends on your project whether to apply restriction or not.
There are 4 type of Application restriction:
Http refers:- It will be used to only allow request that originate from the particular website or web app.
IP Address:- This restriction allow call from specific IP address.
Android App:- This type of restriction only allow calls that originate from Android application.You need to specify package name and SHA-1 key.
iOS App:- It only allow request that originate from iOS application
There is also option for API restriction which allow you to specify the API's that can be called using key.
I'am using the Google Drive Android API. My application is synchronizing files to a google drive folder. This is working properly.
Additionally, I want to share those folders and files with other users. Unfortunately from another device and account in the same app I can only access files/folders which I have picked through the Files/Folder pickers (see https://github.com/googledrive/android-demos/tree/master/app/src/main/java/com/google/android/gms/drive/sample/demo)
My GoogleApiClient is getting the scope: Drive.SCOPE_FILE. So description says:
Per-file access to files created or opened by the app
Since I am using the same app on another device with a different account shouldn't I be able to access those files? Btw with the same account on another device this is working.
Is there any other solution? I've already checked the REST API but I am afraid this would make the whole code much more complex.
For everyone who is interested in a solution:
I found no way to sync shared files with the google android native API. (besides the file picker)
In case you want to do so you have to use the google drive rest API.
A little advantage for this solution. I think the java rest API is anyway much more suited for this kind of work. Code gets in that way much more readable.
You just need to authorized the user. Take note that in every request your application sends to the Drive API must include an authorization token. The token also identifies your application to Google. You must impliment OAuth 2.0 to authorize requests. No other authorization protocols are supported.
All requests to the Drive API must be authorized by an authenticated user.
The details of the authorization process, or "flow," for OAuth 2.0 vary somewhat depending on what kind of application you're writing. The following general process applies to all application types:
When you create your application, you register it using the Google API Console. Google then provides information you'll need later, such as a client ID and a client secret.
Activate the Drive API in the Google API Console. (If the API isn't listed in the API Console, then skip this step.)
When your application needs access to user data, it asks Google for a particular scope of access.
Google displays a consent screen to the user, asking them to authorize your application to request some of their data.
If the user approves, then Google gives your application a short-lived access token.
Your application requests user data, attaching the access token to the request.
If Google determines that your request and the token are valid, it returns the requested data.
Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see Google's OAuth 2.0 documentation.
Scope:
https://www.googleapis.com/auth/drive.file - Per-file access to files created or opened by the app
Full access to all files in the user's Drive (https://www.googleapis.com/auth/drive) may be necessary for some apps. An app designed to sync files, for instance, needs this level of access to Drive. Apps with special needs related to listing or reorganizing files might need full scope.
I have an android app that uses google places api to get near places...everything works fine when I leave the allowed android devices field for android api key empty...but when I add my custom certificate's SHA1 fingerprint and package I get the error that my app is not authorized...when I remove it again it works!
I think it is necessary to add this field because it prevents quota theft but why I am getting this error?
I am pretty sure of that the fingerprint and the package name are correct.
Help please
The problem is that you're using an Android API Key.
For the Places Webservice API you need to use either a Browser Key or a Server Key.
From the documentation:
If your project doesn't already have a key for server applications,
create an API key by selecting Create New Key (under "Public API
access") and then selecting Server key.
Also, this is interesting since you found out this is not true, but the documentation also states:
Note: The Google Places API Web Service does not work with an Android
or iOS API key.
Go in the Google Developer Console, click Create new Key, then click Server key
or Browser key.
This is the key that you use in your URL that returns JSON.
If you also have a Google Map, use a separate Android key for that, placed in your AndroidManifest.xml.
If you are using the Places API Web Service then you should use a Server key, as noted by Daniel Nugent above (please accept his answer, not mine).
In this case, best practice is to proxy the requests from your Mobile Application via an intermediate server.
If it is possible to do so, given your feature requirements, you should consider using the newer Places API for Android, in which case you would be able to use an Android Key.
I'm trying to make an Autocomplete field which should fetch cities as the user types, by using the Google Places API as described in this tutorial:
https://developers.google.com/places/training/autocomplete-android
You've probably found this question around many times before as I did, but none of the answers helped me. Here are the things you should know:
The URL is
https://maps.googleapis.com/maps/api/place/autocomplete/json?sensor=false&key=myKey&components=country:ro&input=whatTheUserTypes
Please don't reply by saying you replaced the API key with your own and it worked - the API key which goes there must be Android specific and won't work from a browser.
So did I make the Android API key using the SHA1 fingerprint obtained from the keystore I signed the app with.
I turned on Maps and Places APIs from the console.
The quota isn't exceeded.
All those and it still gives me REQUEST_DENIED
What I didn't mention is that I have O2Auth activated - does that change anything? Shouldn't it be as simple as putting the API key in the app?
Thanks!
Although this has been answered, I think the community could do better.
I was tearing my hair out about this, it just didn't make sense to me.. I was making an iOS/Android App, so I made an iOS/Android Key...
Wrong.
With Google's Places API, your bundle identifier isn't even considered.
What you really want to do is this:
(I'm using the new User Interface)
1. Log into https://cloud.google.com/console#/project
Select your Project Name, then go into API's & Auth > APIs
Make sure you have Places API Turned on. This is the only thing that needs to be turned on for Places-API to work.
2. Go into Credentials
Click CREATE NEW KEY under Public API Access
3. Select BROWSER KEY
4. Click Create, Nothing Else
Leave the HTTP Refer box empty.
5. Use the Key Generated here
This key will allow ANY user from any device access to the API via your Developer login.
You can try it out here: (Be sure to replace YOUR_KEY_HERE with your generated Key)
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Food%20Sh&sensor=false&radius=500&location=0,0&key=YOUR_KEY_HERE
6. Enjoy
Now you can use that URL above in your Android/iOS device.
The Google Places API does not currently support Android or iOS keys generated from the Google APIs Console. Only Server and Browser keys are currently supported.
If you would like to request this support, please file a Places API - Feature Request.
https://developers.google.com/places/training/autocomplete-android
Storing your API key
Although the above code demonstrates how to communicate directly
between an Android app and the Places Autocomplete service, you should
not store your Places API key with your app.
You should therefore build a web application that stores your API key
and proxies the Places API services. In order to secure communication
between your Android app and the proxy web service, you should require
user authentication to your proxy web service. Your Android app can
securely store user credentials and pass them to your web service, or
the user can log into your web app via an Android WebView.
For the latter approach, your web app should create and return a user
authentication token to your Android app, and your Android app should
subsequently pass this token to your proxy web service.
Go to google cloud platform console>Credentials click on edit by selected your YOUR_API_KEY>Application restrictions > select none option>save thats it.
If you select the android apps option from Application restrictions then google deny the place API with exception REQUEST_DENIED.
In Google dev console, you should be able to find both "Places API" and "Places API for Android"
Make sure to use "Places API for Android"
For some reason, "Places API for Android" is hidden in the API list, but can be accessed using search.
I had the same issue , I fix it by leaving
Accept requests from these HTTP referrers (web sites) (Optional)
in browser key Empty
I am still new, so I cannot comment, but to shed some light on Moe's answer, I resolved some similar Google Maps API issues regarding URL queries (for directions, using Volley) with the following steps:
Get Android API Key (including Google Maps Directions API in my case).
Get "Server" API Key (which seems to be created by using a key restriction of "HTTP referrers" these days - really, it's just used to issue URL queries through HTTP).
Store the Android API key as a meta-data tag in the application tag in AndroidManifest.xml with android:name="com.google.android.maps.v2.API_KEY" and android:value as your key. This is used for direct interaction with the Maps API (minus URL queries).
Use the server API key whenever issuing URL queries.
I am not sure if this also applies to URL queries for the Places API, if you only need the server API key, or if there is a better solution, but this worked for me.
I imagine that it works with just the first key - the one not restricted to Android.
Inside Google Cloud Console type Places and Activate it. Create an API Key and insert it onto your Android Studio App as you would do normally. That`s it.
I had the same problem. For me the key was to enable billing on project. I am still using "Applications for Android" restrictions. After setting up the payment method, Places Api started working.
Prior to using the Places SDK for Android, do the following:
Follow the Get an API Key guide to get, add, and restrict an API key.
Enable billing on each of your projects.
Enable the Places API for each of your projects.
See it there.
Be sure also to check out the billing plans for the Google Places API as it is not free!