Authenticating your client to Cloud Endpoints without a Google Account login

Question

I have been doing extensive research on how to authenticate your client (Android, iOS, web-app) with Cloud Endpoints without requiring your user to use their Google

Answer 1

Faced the same problem to find a solution to call my API safely from my endpoints, without using Google Account. We can't decompile an IOS App (Bundle), but decompile an Android App is so simple..

The solution I found is not perfect but do the job pretty good:

1. On android APP, I just create an constant String variable, named APIKey, with simply content (For example "helloworld145698")
2. Then I encrypt it with sha1, next md5, and finally sha1 (Order and frequency of encryption up to you) and store the variable on SharedPref (For Android) in private mode (Do this action on an random class in your App) It's this result encrypted I authorize on my Backend !
3. On my backend, I just add a parameter (named token for exemple) on every request

Example:

 @ApiMethod(name = "sayHi")
    public void sayHi(@Named("name") String name, @Named("Token") String token) {

    if (token == tokenStoreOnAPIServer) {
         //Allow it
    } else {
         //Refuse it and print error
    } 

}

4. On android, active ProGuard for obfuscated your code. It will be really unreadable for anyone who tried to decompile your app (Reverse engineering is really hardcore)

Not THE perfect secure solution, but it works, and it will be really really (really) difficult to find the real API key for anyone who try to read your code after decompilation.