将GAE API(端点)限制为Android应用
[英]Restrict GAE API (Endpoints) to Android app
问题描述
I want to restrict access to my GAE backend only to my Android app. 
我想将对GAE后端的访问权限限制为仅对我的Android应用程序。 I don't want the authentication to be user-based, and I certainly don't want the user to provide their Google account credentials, or any credentials at all. 我不希望身份验证基于用户,并且我当然也不希望用户提供其Google帐户凭据或任何凭据。 I just want my GAE API to be accessible to my app only. 我只希望我的应用只能访问我的GAE API。
There are several questions in StackOverflow for this, but I have not understood what is the process. 为此,在StackOverflow中有几个 问题 ,但是我不知道该过程是什么。
The GAE Documentation expectedly describes the server-side of things, and does not provide any snippet for Android clients. GAE文档预期将描述服务器端的内容,并且不提供Android客户端的任何代码段。
I have stumbled upon this Android developers blog post and this Google Cloud Platform sample project , both of which have an awful lots of things to do in order to authenticate (using the user's email address), which seems an overkill. 我偶然发现了这个Android开发人员博客文章和这个Google Cloud Platform 示例项目 ,这两个项目都要做很多事情来进行身份验证(使用用户的电子邮件地址),这似乎是一个过大的决定。 When I generated the client ID for Android, in the Google Developers Console, I specified both the package and the SHA1 checksum from the application's keystore. 当我为Android生成客户端ID时,在Google Developers Console中,我从应用程序的密钥库中指定了软件包和SHA1校验和。 I was under the impression that they would somehow suffice to identify the app to the server in a more transparent way. 我给他们的印象是,他们将以某种更加透明的方式在服务器上识别应用程序就足够了。
Are the above links the way to go, or am I on the wrong track? 上面的链接是前进的道路,还是我走错了路?
1 个解决方案
解决方案1
1 2016-03-14 19:08:33
You really can't "Restrict GAE API (Endpoints) to Android app" as of right now. 到目前为止,您真的不能“将GAE API(端点)限制为Android应用”。 The reason is that a hacker could potentially decompile your Android app and view any type of client keys or other credentials and then have full access to your cloud endpoints api methods. 原因是黑客可能会反编译您的Android应用并查看任何类型的客户端密钥或其他凭据,然后对您的云端点api方法具有完全访问权限。
Is this likely? 这可能吗? I am not sure. 我不确定。 You would have to do your own research on that. 您将必须对此进行自己的研究。 It would depend on many factors such as how well known your app is, how determined the hacker is, etc. For example, Snapchat uses GAE and it had many problems with security where hackers were able to access their API to make 3rd party apps. 这将取决于许多因素,例如您的应用程序的知名度,黑客的判断力等。例如,Snapchat使用GAE,并且在安全性方面存在很多问题,黑客可以访问其API来制作第三方应用程序。 I imagine it involved some sort of decompilation either of the Android or iOS client. 我想它涉及到Android或iOS客户端的某种反编译。
Take a look at a question (and comments) I asked a while ago that is similar. 看一看我刚才问过的类似问题(和评论)。 All Cloud Endpoints is, is a way to create a restful API. 所有Cloud Endpoints都是一种创建静态API的方法。 Uniquely identifying only your specific Android application is the real problem: How to uniquely identify your Android app for rest API 真正的问题是唯一地标识您的特定Android应用程序: 如何为其余API唯一地标识您的Android应用程序
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.