Situation is very critical and need experts help.
We released our APK in the market already. But the API KEY was created using developer’s own google account. Unfortunately he left our company.
We contacted him and requested him to transfer it to our account. He agreed, but he has his own API KEY in the same project. So finally he turned his face in another direction. He asked us to find the way to transfer only that API KEY that we need.
I searched in internet but, hell, I could not find.
So we are in trouble as our app is being used by the users.
Any soulution?
Thanks in advanched
You can't transfer an API key, you should either be part of the user's project, or generate a new API Key within your project. However, for installed application, it's recommended to use OAuth 2.0 authentication
Related
Recently I received this Alert in the Google Play Console
Your app contains exposed Google Cloud Platform (GCP) API keys
I am using the YouTubeApi Player, and I believe the only why you can initialize it is using this line of code
youTubePlayer.initialize(DEVELOPER_KEY, this);
So beside added restrictions to my API key, is there any other way to remove the API Key from the code?
I tried using the GCP service accounts as suggested by Google, but I do not see how I can still use the YouTube Player without the initialize line of code.
I have same problem, and fixed this by using string R.string.google_api_key generated by google_services.json
change your code to:
youTubePlayer.initialize(getString(R.string.google_api_key), this);
how to get google_services.json:
create firebase project https://firebase.google.com/docs/android/setup?hl=id
get your google_services.json https://support.google.com/firebase/answer/7015592?hl=id
There are some tips on how to secure your API keys at Using API Keys documentation.
It is stated that embedding API keys directly in the code should be avoided, which is the way you are having it right now, therefore you are getting the warning message.
Follow the tips on that page and you should properly secure your API key. As soon as you do so, the warning will go away.
UPDATE
To avoid having a long discussion in comments, allow me to elaborate further providing this update.
Google provides different ways of authentications to give you more options for securing your apps based on your needs. The warnings are helpful tips to make your apps more secure when going in production or exposing to public. So in your case, it would be better to use a different way of authentication.
API keys can be used in server side. e.g. If you are using an API key to authenticate a 3rd party service from an App Engine app, you can use this key as you already have it, since it is impossible for the key to get exposed. (Avoid using API keys in JavaScript since inspecting the page in the browser will expose the API key as well)
In your case, since you are developing an Android app and/or an iOS app, having the API key in the code is dangerous. Because, anyone can use the .apk or the .ipa file and find a way to access it. Therefore, for developing Android apps and iOS apps it is suggested going with different authentication method. The other authentication method supported in YouTube player API is using OAuth 2.0. For more information you can check the Registering your application documentation.
I am developing a web app which will be pulling data from Amazon Advertising API. I need as a user to see data for all of the sellers that has approved/registered for using their profile's data.
Is this scenario possible? If not, is there anything similar to it? If yes, how do I implement it, is there some documentation?
The Amazon Advertising API v2 was released late 2018, so it's pretty new but has some missing information in the official documentation. But to get started please follow the official documentation guide:
https://advertising.amazon.com/API/docs/v2/guides/get_started
A lot of other sources are outdated, so I suggest to stick to this guide.
The logic to handle multiple Amazon Seller Accounts you have to handle yourself.
But every Seller Account has to go through the consent workflow to give your console app the rights to get access to the shop data via API. Therefore you need to implement a 'Login with Amazon' button - That's the part that is not mentioned in the documentation. See https://login.amazon.com/
I cannot found some examples how to create a single account system for all services. For example, Google and Microsoft are use these structure. I have site and some services and I need to user registers at once and can use all service and site. But I never made this earlier and don't know even how to build so services.
Now I think make an auth service with OAuth 2 support. And my services connect to this service and authenticate in it. After the connected service gets a user ID and creates a local account with more details (which needed only for this service) and global user ID. But maybe someone know another solution. Just I don't sure that is the best solution.
P.S. I don't ask for examples of code or something else. I just need to understand the principle of operation of such related services as they interact.
I am working on a cross platform app that will be created using C++-> mobile devices, and using Perl-> Desktop PCs (like Windows /Linux/Mac OS).
Now, since the app will be downloadable, I have concerns regarding the ability of hackers to obtain the source code of my app.
Specifically, the app will connect to my central database-- at the minimum, I want that hackers are not able to obtain my database connection details. Ideally, I would want no part of the code to be hacked.
Basically, the user can update some of his information using this app-- if hackers get hold of this data they can easily change any unfortunate user's data. One thing that I have thought of is that the user will have to initially authenticate with OAuth/OAuth2 ( using his email ID #yahoo/#hotmail/#gmail)-- and only after that the app will actually show the admin interface. But at any rate, at some point the app will connect to the central database-- which is why I dont want the database's access details to be compromised.
Many organisations make such apps, so they must be facing this type of problem themself? I would like to know how I can protect my app (ideally entire code), and atleast the db credentials.
The simple answer is you do not expose your database. Ever.
Add a service layer (could be HTTP-based but doesn't have to be) on top that will deal with authentication and authorisation. Your app then logs in using the user's credentials and acts on their behalf. Your service layer exposes an API which your application talks to, but your service makes and controls all calls to the DB.
You already mention OAuth - that's a perfectly acceptable way of adding authentication to such an API.
You cannot.
On the bright side you can put security on your server. The connecting client provides credentials that they are a given user. The server generates the SQL command after proving the request is allowed. Backers can do anything your app can do, but your app becomes incapable of behaving badly to your database.
The previous answers are absolutely correct. You want a server based service layer that provides the authentication/authorization code and interacts with the database. However, it isn't always a perfect world and if you are stuck with the requirement that these applications must act as a database client you want to limit the exposure as much as possible. Typically this is done by having the client use a specific account which has not been granted any access to the general database. You then create specific stored procedures that can only do the operations and queries that are required of the application. This prevents anyone finding the credentials in the code from doing anything in the database that isn't intended, but you still have the problem that anyone can impersonate someone else by reviewing the code. There isn't a way to prevent that without a server side component. This might be okay for a closed/trusted group of users, but I wouldn't release anything to the general public with this method.
If you can do it, use OAuth2 and allow a trusted third party handle authentication. Twitter, Facebook and GitHub are all relatively paranoid about security; and the other poster is correct: never expose direct db access as part of the app the user has access to; put it behind a service of its own.
Good luck! :)
This question is related to Stackoverflow Question -> Access licence number for UPS
When I registered for Developer APIs, I was given a 4-part credential: User ID, Password, Access Key, and Shipper Number. I used this and the CIE URL to get rates, print shipping labels, etc. So far so good. Everything works. I have been able to build and test desktop and web GUIs that use UPS API.
Now I understand that I need to implement UPS Registration API and Licensing API to apply for certification. I applied with UPS for this and received the API package. Again, so far so good. Now, I have two questions:
1- I understand that we can use the Registration API to authenticate existing UPS accounts for end users to access my application. We can also use it to allow the end user to create one or more new UPS accounts for use with the application. If Registration API takes care of this, what is the use of the Licensing API? UPS documentation isn't widely available and the documentation that comes with the API kit is very minimal.
2- My app will use the end users' UPS account numbers for shipping, but which Access Key should it use? Should it use the Access Key of each end user, or my Access Key for everyone? If the former, then should this end-user Access Key be obtained using the Licensing API? Is that the Licensign API's purpose?
In essence, I think both questions are the same but you can see how perplexed I am with respect to this requirement of implementing Registration and Licensing APIs!
Any insight from you experts would be REALLY great!
UPDATE:
Just wanted to add another question:
3- I am using UPS Web Services for all UPS functionality. The package that contains Licensing API and Registration API has a "Reference.cs" for the Registration API but not for Licensing API (only XSDs in that folder). Is the Licensing API not available as Web Service?
Questions on the licensing API should be referred to the folks at UPS Ready. This is not the proper forum.