Menu
After creating project in Firebase multiple Google Cloud Platform API keys were auto-generated:
All keys are marked with "!" sign which says:
This API key is unrestricted. To prevent unauthorised use and quota theft, restrict your key to limit how it can be used.
My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner. "Android key" is embedded inside application so it can be retrieved very easily from apk.
Is any additional configuration necessary?
What permissions exactly is the key granted?
548
API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key.
Store API keys or signing secrets in files outside of your application's source tree. If you store API keys or any other private information in files, keep the files outside your application's source tree to keep your keys out of your source code control system.
You can always restrict you firebase project keys to domains / IP's. select your project Id and key and restrict it to Your Android/iOs/web App.
API keys work a lot like passwords and should be stored and protected. Here are some basic steps you can take to limit the risk of a stolen key: Don't write down your key in a public place — like on a sticky note or in a file on a public computer. You can safely access your key inside your developer account.
Although API keys for Firebase services are safe to include in code, there are a few specific cases when you should enforce limits for your API key.
From the documentation:
The API keys auto-created by Firebase, by default, have no restrictions. However, there are a few specific cases when you should enforce limits for your API key.
For more details check the documentation.
163
What is your definition of secure? Does the key allow access to privileged or valuable data? Anyone that has the API key can do anything the key allows. The issue is not if the key is secure, the issue is how the key is managed, used and protected. Do you trust the people/software/services that have the key? If no, then the key is not secure.
My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner.
That is an incorrect assumption. Google/Firebase does not configure your keys to be secure. That is up to your implementation to provide for and protect keys.
In summary, the answer to your question is that an API Key is not secure unless the environment that the key is used within is also secure.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
