How do I restrict Google App Engine Endpoints API access to only my Android applications?

Question

I am an Android developer building my first Google App Engine (java) back-end for my apps. I don\'t want anybody else to access this API other than my app. (I plan to use Ap

Answer 1

I had a similar issue, not between Android and App Engine, but between a separate server and App Engine. The way I handled it was to add a signature hash field as a parameter to each API call. If the request had an improper signature, it would be denied.

For example, suppose your API end-point is example.com/api/do_thing?param1=foo. I would hash the entire url, along with a secret key, and then append the result of the hash to the request: example.com/api/do_thing?param1=foo&hash=[some long hex value].

Then, on the server side, I would first remove the hash from the url request, then run the hash on everything that was remaining. Finally, you check whether the calculated hash matches the one that was sent with the request and if they don't, you can deny the request.

It is very important however that your secret key remain secret. You have to be careful with this on Android because someone could attempt to decompile your APK.

Answer 2

Facing the same problem, here are the result of my research :

• Added Android cliend id with SHA1 fingerprint in Google console
• Use of it in the API annotation

BUT :

• If i dont add user parameter to methods : the check about android app client id does not work

• If I add the USER parameter but do not ask the user to choose its google account to create the credential ... also it does not work ...

Conclusion : It seems to be mandatory to connect a user account for the check about the app client id to be executed ... I really do not understand why because no link exist between the 2 processes

Answer 3

Google provides ways to do this for Android, web and iOS The steps involves:

1. Specifying a client Id for apps you want to allow to make requests to your API
2. Adding a User parameter to all exposed methods to be protected by authorization.
3. Generating the client library again for any Android clients
4. Redeploying your backend API.
5. Updating the regenerated jar file to your Android project for your Android client.

These steps are laid out in clear detail on Google's Using Auth with Endpoints and also on this blog

Answer 4

Access this site

Choose your project, go to credentials section

Create a new api key

Create a new android key

Click on "Edit allowed android applications" and enter your SHA1 key; your android package name

Let me know if this solves the issues.

Answer 5

Facing the same problem than you ! Authenticate Android End point without Google User Account is just impossible !

So here is my way to resolv this problem, without any user interaction (Maybe not the right but that works, and you've got strong authentication (SHA1 + Google Account)):

HERE IS MY ANDROID CODE

Get and Build Valid Credential

  //Get all accounts from my Android Phone
         String validGoogleAccount = null;
         Pattern emailPattern = Patterns.EMAIL_ADDRESS; // API level 8+
         Account[] accounts = AccountManager.get(context).getAccounts();
         for (Account account : accounts) {
             if (emailPattern.matcher(account.name).matches()) {
                 //Just store mail if countain gmail.com
                 if (account.name.toString().contains("gmail.com")&&account.type.toString().contains("com.google")){
                     validGoogleAccount=account.name.toString();
                 }

             }
         }

        //Build Credential with valid google account
        GoogleAccountCredential credential = GoogleAccountCredential.usingAudience(this,"server:client_id:301991144702-5qkqclsogd0b4fnkhrja7hppshrvp4kh.apps.googleusercontent.com");
        credential.setSelectedAccountName(validGoogleAccount);

Use this credential for secure calls

Campagneendpoint.Builder endpointBuilder = new Campagneendpoint.Builder(AndroidHttp.newCompatibleTransport(), new JacksonFactory(), credential);

HERE IS MY API BACKEND CODE: API Annotation

@Api(
        scopes=CONSTANTES.EMAIL_SCOPE,
        clientIds = {CONSTANTES.ANDROID_CLIENT_ID, 
                     CONSTANTES.WEB_CLIENT_ID,
                     com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
        audiences = {CONSTANTES.ANDROID_AUDIENCE},      
        name = "campagneendpoint",
        version = "v1"
     )

Method code:

public Collection<Campagne> getCampagnes(@Named("NumPortable")String NumPortable, User user) throws  UnauthorizedException {
        if (user == null) throw new UnauthorizedException("User is Not Valid");

      return CampagneCRUD.getInstance().findCampagne(NumPortable);
     }

For the moment, it only works on Android (I don't know how we gonna do on IOS..)..

Hope It will help you !