23

After creating project in Firebase multiple Google Cloud Platform API keys were auto-generated:

  • Server key (auto created by Firebase)
  • Android key (auto created by Firebase)
  • Browser key (auto created by Firebase)

All keys are marked with "!" sign which says:

This API key is unrestricted. To prevent unauthorised use and quota theft, restrict your key to limit how it can be used.

My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner. "Android key" is embedded inside application so it can be retrieved very easily from apk.

Is any additional configuration necessary?

What permissions exactly is the key granted?

silviot
  • 4,615
  • 5
  • 38
  • 51
sdf3qrxewqrxeqwxfew3123
  • 1,265
  • 11
  • 16
  • 2
    Did you find any additional information to your answer? – ahong Aug 04 '20 at 07:14
  • 4
    People who answered so far are missing a critical point that needs to be addressed: Google created and configured the keys automatically when enabling those authentication providers in Firebase. So the question is not about general API keys, but those auto-generated keys. How can Google justify to generate something insecure? And more importantly: How to restrict the keys exactly in a manner that authentication will not break? – Martin Braun Jan 30 '22 at 19:07
  • Martin, i feel the same about the creation of an uncontroled key without notice but after the first shock i realise that as long as i don´t use the actual generated key and i don't make it public i will stay in a safe situation (my main concern was on billing by the way) – jpp Feb 24 '23 at 18:51
  • @jpp Correct, but when you implement authentication via OTP or Google Sign-In in an app, you have to ship your API keys with it. You then have to restrict the key to prevent them being used anywhere. After further investigation I can say that restricting the key won't break authentication, as long as you use it on real devices that use stock software, on Android it uses SafetyNet. Unfortunately, the captcha fallback method for custom ROMs or emulator will fail for restricted keys and [I suggested a fix to Google about this](https://github.com/firebase/firebase-android-sdk/issues/4398). – Martin Braun Feb 24 '23 at 19:18
  • @MartinBraun May be i didn't catch all the implications or implementations, but i don't mean to let any key unrestricted. The position that I have adopted is to create my own and controlled key with all restrictions i consider, and ignore the "self created"; ignore it and by no way disclosure it. – jpp Feb 27 '23 at 18:13
  • @jpp I see, well you can just restrict the auto generated key and you will be fine, at least that's what I do. – Martin Braun Feb 28 '23 at 16:16
  • @MartinBraun Absolutely! you're right. I'm just use my own key to name it as i want and let firebase enjoy its own, ha ha ha – jpp Feb 28 '23 at 17:37

2 Answers2

3

Although API keys for Firebase services are safe to include in code, there are a few specific cases when you should enforce limits for your API key.

From the documentation:

The API keys auto-created by Firebase, by default, have no restrictions. However, there are a few specific cases when you should enforce limits for your API key.

For more details check the documentation.

Dinario
  • 322
  • 2
  • 12
  • I believe [this part of the docs](https://firebase.google.com/docs/projects/api-keys#apply-restrictions) and [this guide to apply API restrictions](https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions) show pretty well what might happen if someone collected your key and used it: use those Google API in your name. – silviot Mar 03 '21 at 16:48
2

What is your definition of secure? Does the key allow access to privileged or valuable data? Anyone that has the API key can do anything the key allows. The issue is not if the key is secure, the issue is how the key is managed, used and protected. Do you trust the people/software/services that have the key? If no, then the key is not secure.

My understanding was that Firebase handles GCP configuration and knows how to do it in secure manner.

That is an incorrect assumption. Google/Firebase does not configure your keys to be secure. That is up to your implementation to provide for and protect keys.

In summary, the answer to your question is that an API Key is not secure unless the environment that the key is used within is also secure.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • The API key is supposed to be publicly distributed, so it can't be considered secure. I added the question _What permissions exactly is the key granted?_ to make it more clear what the problem is: the documentation does not enumerate the things one can do with the key. The best I could find is the list of google APIs visible in their UI when following these instructions: https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions – silviot Mar 03 '21 at 15:39
  • 1
    @silviot Google does not define the permissions as API keys do not use permissions for authorization. The API key is the authorization mechanism. Any API that accepts API keys will be supported/allowed. API keys are legacy and Google is dropping their usage for many services. API keys are not intended for "public" distribution. They are intended for "controlled" distribution and have significant risks even in controlled distributions. You should not use API keys and instead use OAuth authorization. You will be forced to switch to OAuth for more and more services in the future. – John Hanley Mar 03 '21 at 19:13
  • 1
    I don't understand how I could follow your exhortation to _not use API keys and instead use OAuth authorization_ in my case: I'm using Firebase and Firestore. Would you care to elaborate and point me to some sources documenting how this would be possible? – silviot Mar 04 '21 at 08:45