Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are API keys "autogenerated by Firebase" in GCP secure?

After creating project in Firebase multiple Google Cloud Platform API keys were auto-generated:

  • Server key (auto created by Firebase)
  • Android key (auto created by Firebase)
  • Browser key (auto created by Firebase)

All keys are marked with "!" sign which says:

This API key is unrestricted. To prevent unauthorised use and quota theft, restrict your key to limit how it can be used.

My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner. "Android key" is embedded inside application so it can be retrieved very easily from apk.

Is any additional configuration necessary?

What permissions exactly is the key granted?

like image 548
sdf3qrxewqrxeqwxfew3123 Avatar asked Dec 08 '19 20:12

sdf3qrxewqrxeqwxfew3123


People also ask

Is API key authentication secure?

API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key.

How do you securely handle API keys?

Store API keys or signing secrets in files outside of your application's source tree. If you store API keys or any other private information in files, keep the files outside your application's source tree to keep your keys out of your source code control system.

Where does firebase store API keys?

You can always restrict you firebase project keys to domains / IP's. select your project Id and key and restrict it to Your Android/iOs/web App.

Should API keys be protected?

API keys work a lot like passwords and should be stored and protected. Here are some basic steps you can take to limit the risk of a stolen key: Don't write down your key in a public place — like on a sticky note or in a file on a public computer. You can safely access your key inside your developer account.


2 Answers

Although API keys for Firebase services are safe to include in code, there are a few specific cases when you should enforce limits for your API key.

From the documentation:

The API keys auto-created by Firebase, by default, have no restrictions. However, there are a few specific cases when you should enforce limits for your API key.

For more details check the documentation.

like image 163
Dinario Avatar answered Nov 16 '22 03:11

Dinario


What is your definition of secure? Does the key allow access to privileged or valuable data? Anyone that has the API key can do anything the key allows. The issue is not if the key is secure, the issue is how the key is managed, used and protected. Do you trust the people/software/services that have the key? If no, then the key is not secure.

My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner.

That is an incorrect assumption. Google/Firebase does not configure your keys to be secure. That is up to your implementation to provide for and protect keys.

In summary, the answer to your question is that an API Key is not secure unless the environment that the key is used within is also secure.

like image 43
John Hanley Avatar answered Nov 16 '22 04:11

John Hanley