How do I restrict Google App Engine Endpoints API access to only my Android applications?

Question

I am an Android developer building my first Google App Engine (java) back-end for my apps. I don\'t want anybody else to access this API other than my app. (I plan to use Ap

Answer 1

I had a similar issue, not between Android and App Engine, but between a separate server and App Engine. The way I handled it was to add a signature hash field as a parameter to each API call. If the request had an improper signature, it would be denied.

For example, suppose your API end-point is example.com/api/do_thing?param1=foo. I would hash the entire url, along with a secret key, and then append the result of the hash to the request: example.com/api/do_thing?param1=foo&hash=[some long hex value].

Then, on the server side, I would first remove the hash from the url request, then run the hash on everything that was remaining. Finally, you check whether the calculated hash matches the one that was sent with the request and if they don't, you can deny the request.

It is very important however that your secret key remain secret. You have to be careful with this on Android because someone could attempt to decompile your APK.