How is it Google API’s open to the public?
There are a lot of reasons why you might be using Google API’s. They may be for Google Maps, an iOS or Android app, or just web application. Regardless what you’re using your Google API’s for by default (if it’s autogenerated) they are unrestricted meaning if anyone sees the API keys, they can simply copy and paste in their own project and start reading and writing to! How crazy is that?! The web API JavaScript’s are extremely easy to view with the developer console of the browser. Here’s what mine looks like (with fake data of course!).
// Your web app's Firebase configuration
var firebaseConfig = {
apiKey: "adfaeafaffee-eeeeeaaa333",
authDomain: "appName-1111.firebaseapp.com",
databaseURL: "https://appName-1111.firebaseio.com",
projectId: "appName-1111",
storageBucket: "appName-1111.appspot.com",
messagingSenderId: "44444444",
appId: "2:43434:122434de"
};
// Initialize Firebase
firebase.initializeApp(firebaseConfig);
How to secure Google API keys for Web
Let’s secure them by only allowing the referrers or initiated action from whitelisted domain names and app bundle ID.
- Navigate to https://console.developers.google.com/apis
- Go to your firebase project
- Go to credentials
- Under API keys, select the Browser key associated with your firebase project (should have the same key as the API key you use to initialize your firebase app.)
- Under Application restrictions select HTTP referrers (web sites), simply add the URL of your app.
- https://CloudlyEngineer.com/*
- http://CloudlyEngineer.com/*
- CloudlyEngineer.com/*
- Optional: If you have previously unrestricted keys prior to this change, I suggest regenerate a new key and update your JavaScript!
- If you’re using Firebase, be sure to add those URL’s that look like “https://appName-1111.firebaseapp.com”
- Save.
How to secure Google API keys for App
Now let’s secure them by only allowing the referrers or initiated action from whitelisted app bundle ID.
- Navigate to https://console.developers.google.com/apis
- Go to your firebase project
- Go to credentials
- Under API keys, select the iOS Key or Android Key associated with your firebase project (should have the same key as the API key you use to initialize your firebase app.)
- Under Application, restrictions select iOS apps. You can find this in Xcode and elsewhere.
- orgName.AppName
- Optional: If you have previously unrestricted keys prior to this change, I suggest regenerate a new key and update your JavaScript!
- Save.
What Google must do!
Update your damn starting guides to make the keys secure before initializing the keys! I know they have a checklist but as coders, we tend to keep following the technical guide more. Here’s their checklist.