问题
We are using Google Firebase to get CrashLytics data for our app, and the API key that is exposed through the google-services.json file was brought up as a security concern as the app apk file can be reverse engineered to get this file and then it can be used by an attacker to send data to our Firebase account.
To avoid this, we tried to follow this documentation to restrict the API key usage such that it can only be used by our app. This is achieved by restricting it with the package name and the SHA1 fingerprint of the keystore of our app.
However when we tested it out, it didn't work as expected. We were still able to send crash data via a fake app that has the same package name, same google-services.json file but a different keystore file.
Based on the accepted answer of this question, this approach should work. Appreciate it a lot if anyone with experience on this can share with us.
来源:https://stackoverflow.com/questions/53942388/firebase-api-key-restriction-not-working-with-android-app-package-name-and-sha1