Allowing only my android apps to execute endpoint api in java

Question

I created endpoint apis but problem is anyone with my project id can go to api explorer and execute those apis. I have put only android client id (using debug keystore) on top of endpoint class declaration but still I can go to incognito mode and execute the apis. How can I restrict the apis so that only my android apps have access and all others will be thrown with some exception?

Answer 1

The APIs can be protected by adding a key parameter that has to be correct for API to be invoked. If the user of the API does not know the key, he won't be able to use the API even with API Explorer.

Advantages of this approach is that it is simple to do, allow you yourself to experiment with the API if you need.

Disadvantages include being very easy to circumvent by a determined user, just by looking at the traffic.

Answer 2

You need to make sure that you have coded your API/backend correctly to only accept the clientId for your app; make sure that you do not see com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID as one of the clientIds in your @Api annotation on the API class:

@Api(
  name = "myApi",
  version = "v1",
  clientIds = {<your android clientId>},
)
public class myApi {
  // your API code here
}

If the API Explorer client ID is present, it will allow it to execute your API from the API. I am not 100% sure, but I think you may still see your API form the explorer without the client ID, but execution will be prevented with an error.

This article has more info: https://cloud.google.com/appengine/docs/java/endpoints/auth#Specifying_authorized_clients_in_the_API_backend

You may want to think about putting proper auth around the endpoint calls (i.e. per-user auth checks around each method) if it is particularly sensitive. Just adding a User parameter to the @ApiMethod should be enough for force users to auth before executing each method.

Hope that helps.