Allowing only my android apps to execute endpoint api in java

1 view
Skip to first unread message

user531069 via StackOverflow

unread,
Feb 12, 2016, 6:07:20 PM2/12/16
to google-appengin...@googlegroups.com

I created endpoint apis but problem is anyone with my project id can go to api explorer and execute those apis. I have put only android client id (using debug keystore) on top of endpoint class declaration but still I can go to incognito mode and execute the apis. How can I restrict the apis so that only my android apps have access and all others will be thrown with some exception?



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/35373693/allowing-only-my-android-apps-to-execute-endpoint-api-in-java

user1420953 via StackOverflow

unread,
Feb 13, 2016, 1:07:08 AM2/13/16
to google-appengin...@googlegroups.com

The APIs can be protected by adding a key parameter that has to be correct for API to be invoked. If the user of the API does not know the key, he won't be able to use the API even with API Explorer.

Advantages of this approach is that it is simple to do, allow you yourself to experiment with the API if you need.

Disadvantages include being very easy to circumvent by a determined user, just by looking at the traffic.



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/35373693/allowing-only-my-android-apps-to-execute-endpoint-api-in-java/35376687#35376687

Codetoend via StackOverflow

unread,
Feb 19, 2016, 8:30:03 PM2/19/16
to google-appengin...@googlegroups.com

You can use on each api allowed_client_ids to be ANDROID_CLIENT_ID only, can be a possible workaround.

I think this could help if you haven't followed it yet : https://cloud.google.com/appengine/docs/python/endpoints/auth#Python_Creating_OAuth_20_client_IDs



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/35373693/allowing-only-my-android-apps-to-execute-endpoint-api-in-java/35518033#35518033

matt1 via StackOverflow

unread,
Feb 20, 2016, 6:25:09 PM2/20/16
to google-appengin...@googlegroups.com

You need to make sure that you have coded your API/backend correctly to only accept the clientId for your app; make sure that you do not see endpoints.API_EXPLORER_CLIENT_ID as one of the clientIds in your @Api annotation on the API class:

@Api(
  name = "myApi",
  version = "v1",
  clientIds = {<your android clientId>},
)
public class myApi {
  // your API code here
}

If the API Explorer client ID is present, it will allow it to execute your API from the API. I am not 100% sure, but I think you may still see your API form the explorer without the client ID, but execution will be prevented with an error.

This article has more info: https://cloud.google.com/appengine/docs/java/endpoints/auth#Specifying_authorized_clients_in_the_API_backend

You may want to think about putting proper auth around the endpoint calls (i.e. per-user auth checks around each method) if it is particularly sensitive. Just adding a User parameter to the @ApiMethod should be enough for force users to auth before executing each method.

Hope that helps.



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/35373693/allowing-only-my-android-apps-to-execute-endpoint-api-in-java/35530351#35530351

matt1 via StackOverflow

unread,
Feb 20, 2016, 6:35:07 PM2/20/16
to google-appengin...@googlegroups.com

You need to make sure that you have coded your API/backend correctly to only accept the clientId for your app; make sure that you do not see com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID as one of the clientIds in your @Api annotation on the API class:

Ruchira Randana via StackOverflow

unread,
Feb 23, 2016, 4:00:04 PM2/23/16
to google-appengin...@googlegroups.com

Use symmetric key cryptography along with digital signatures for this. However, you'll need to share the key with the Android app first.

Here's how it would work.

Whenever the Android app is making a network request, you take the URL & the parameters, then you Hash it and then encrypt it using the shared private key. You then append the signature as another parameter to the URL.

At the receiving end, your web API will validate whether the request came from your Android app ONLY.

Please note, that this will work ONLY for your app. It will not work as a way to catch all generic Android requests/



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/35373693/allowing-only-my-android-apps-to-execute-endpoint-api-in-java/35587963#35587963

Raghvendra Kumar via StackOverflow

unread,
Feb 25, 2016, 7:20:11 AM2/25/16
to google-appengin...@googlegroups.com

Here are some points for consideration :

Cloud Endpoints has been supporting the ANDROID CLIENT ID and package signing, so that should atleast take care of the fact that only a signed Android application from your side can access the endpoint

.

If you wish to remove the Web Clients from access, then I would probably look into the HTTP Headers and Agents to see if there is a sure way of identifying these web clients.However, this would require that you write your own Authorization logic in the method since I do not believe that the endpoints infrastructure can take care of this automatically for you

.

Remove access for everyone via the Annotations could be problematic if you want a quick way to use the API Explorer to test out the API. So do keep the API Explorer access available.



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/35373693/allowing-only-my-android-apps-to-execute-endpoint-api-in-java/35627068#35627068
Reply all
Reply to author
Forward
0 new messages