I know what is a SHA and SHA1 cryptographic algorithm. I also know how to genarate these from a computer.
But I have searched a lot on the internet and still unable to get a proper explanation on how using these keys will secure an API that you are using on an Android app?
For example, Facebook needs your SHA1 key from your system along with your app's package name to be entered on their developer console and their API doesn't work on your app if the key you entered is wrong.
How does this mechanism work? How do they verify this on your App?
Facebook is leveraging Android application signing functionality to provide the same type of assurance in the context of API interactions.
When building your application, your private key is being used to digitally sign the result. The signature validates that the build was created by the key owner and not subsequently modified.
Within the application, a signing certificate is stored, which is programmatically accessible.
In the Facebook SDK, the signing certificate is extracted using the PackageManager class. The resultant keyhash is provided as a parameter to API calls, where it is compared with the hash you provided via their Developer ste.
So, by providing the keyhash out-of-band (i.e. exporting it and entering on the developer site), Facebook is able to validate the in-band instance (i.e. compiled into the application and included in API requests).
来源:https://stackoverflow.com/questions/50997849/how-sha-and-sha1-certificates-secure-an-api-on-your-android-app-like-facebook-do