Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does google verify Android SHA1 fingerprints and packages?

I am trying to make my Google Translate API work but currently I can't find a way. This is how I have set things in Google Developer Console :
I have set my SHA1 fingerprint with the debug certificates. And package name -"bg.webmap.wordy"(which is the actual name). When I try to make a call an "ipRefererBlocked" error is returned in JSON. But when I remove the fingerprint and package name, It works perfectly, but then everybody can use this key, so it is very insecure. So my problem is with authentication.
Will my app automatically send this fingerprint when the API is called? Should I send it myself and how? May the problem be in the debug certificates?

like image 797
BabbevDan Avatar asked Jul 23 '15 13:07

BabbevDan


People also ask

How do you get Sha certificate fingerprints?

Make sure that you have the SHA fingerprint of your signing certificate. In your Project settings, go to the Your apps card. Select the Firebase Android app to which you want to add a SHA fingerprint.

What is SHA-1 certificate fingerprint?

SHA-1 also referred to as the Secure Hash Algorithm. It is a cryptographic hash function that will take input and it produces a 160-bit hash value. This generated hash value is known as a message digest.

How do I get a SHA-1 signing certificate?

There are three ways in which we can get the SHA-1, the first solution would be to use Keytool utility, the second one would be to use Gradle's Signing Report, and the third one would be to read it directly in Android Studio.


1 Answers

Will my app automatically send this fingerprint when the API is called?

NO!

Should I send it myself and how?

YES!

When setting up your API key restriction for android app, you specified the package name and SHA-1 certificate fingerprint. So when you send an request to Google, you must add these information in the header of each request.

HOW?

As answered here, you need to get your package name and SHA certificate from your code, and then adding to request header.

Get SHA certificate:

/**
 * Gets the SHA1 signature, hex encoded for inclusion with Google Cloud Platform API requests
 *
 * @param packageName Identifies the APK whose signature should be extracted.
 * @return a lowercase, hex-encoded
 */
public static String getSignature(@NonNull PackageManager pm, @NonNull String packageName) {
    try {
        PackageInfo packageInfo = pm.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
        if (packageInfo == null
                || packageInfo.signatures == null
                || packageInfo.signatures.length == 0
                || packageInfo.signatures[0] == null) {
            return null;
        }
        return signatureDigest(packageInfo.signatures[0]);
    } catch (PackageManager.NameNotFoundException e) {
        return null;
    }
}

private static String signatureDigest(Signature sig) {
    byte[] signature = sig.toByteArray();
    try {
        MessageDigest md = MessageDigest.getInstance("SHA1");
        byte[] digest = md.digest(signature);
        return BaseEncoding.base16().lowerCase().encode(digest);
    } catch (NoSuchAlgorithmException e) {
        return null;
    }
}

Adding to request header:

java.net.URL url = new URL(REQUEST_URL);
HttpURLConnection connection = (HttpURLConnection)url.openConnection();
try {
    connection.setDoInput(true);
    connection.setDoOutput(true);

    connection.setRequestProperty("Content-Type", "application/json; charset=UTF-8");
    connection.setRequestProperty("Accept", "application/json");

    // add package name to request header
    String packageName = mActivity.getPackageName();
    connection.setRequestProperty("X-Android-Package", packageName);
    // add SHA certificate to request header
    String sig = getSignature(mActivity.getPackageManager(), packageName);
    connection.setRequestProperty("X-Android-Cert", sig);
    connection.setRequestMethod("POST");

    // ADD YOUR REQUEST BODY HERE
    // ....................
} catch (Exception e) {
    e.printStackTrace();
} finally {
    connection.disconnect();
}

You can see full answer here.

Enjoy coding :)

like image 75
Duy Pham Avatar answered Sep 26 '22 04:09

Duy Pham