How work Google API restriction for Android?

Question

Apparently, Google offers a system that allows API consumers to use their APIs only in Android applications for security.

To use this system, you only need to give the Android package name and the SHA-1 key of your application's Keystore file.

Can this security measure be circumvented? What kind of communication is going on between Android app and Google server in the background?

"I want to add same thing into my APIs for security. " first off understand that its not part of the api its part of the authorization server. This would to be implemented in your oauth server. Users of your api would have to create projects and clients like you do in developer console. — Linda Lawton - DaImTo, Sep 10 '21 at 09:09
Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. — Community, Sep 16 '21 at 13:27

ridvanaltun · Accepted Answer · 2021-09-22T07:02:50.040

0

Google extract signing signature (SHA-1 key) and package name in runtime from app, then put both to headers in their HTTP request. Signing signature can be extracted from .apk file, therefore we can say that Google API restriction is not so secure for Android.

edited Sep 22 '21 at 07:02

answered Sep 21 '21 at 09:09

ridvanaltun

2,595
2
15
28

How work Google API restriction for Android?

1 Answers1