01-05-2022 02:52 PM
I integrated the Firebase Unity SDK v8.7.0 for Firebase Storage and confirmed it works, but after setting it up per their documentation (https://firebase.google.com/docs/storage/unity/start) I got a security vulnerability failure, "GCP API Keys Exposed in App":
This appears to be due to the 'google-services.json' file that Firebase provides when you set up your project. Firebase asks you to put this file anywhere in your unity project. This file does contain an API key. But according to Firebase, it is "used when calling certain APIs that don't need to access private user data" and Firebase requires this key to work. See here: https://firebase.google.com/docs/projects/learn-more#config-files-objects
How can this issue be fixed so that my app passes the security vulnerability test?
Solved! Go to Solution.
01-05-2022 04:00 PM
For anyone who had the same issue, this is fixed by going into the Google Cloud Console, navigating to APIs & Services > Credentials > API Keys, and changing the restrictions on each key to "Android apps". You will need to enter your package name and SHA1 fingerprint.
To extract your SHA1 fingerprint from your keystore file, use the command line "keytool" app. Open a command prompt as administrator, change the directory to C:\Program Files\Java\jdk1.8.0_301\bin (or whatever jdk version you have), and then run: keytool -exportcert -keystore "[FILEPATH TO YOUR KEYSTORE]" -list -v
You'll need to enter your password, then it should pop out your SHA1, which you enter into the Google Cloud Console to restrict your API keys to Android apps.
01-05-2022 04:00 PM
For anyone who had the same issue, this is fixed by going into the Google Cloud Console, navigating to APIs & Services > Credentials > API Keys, and changing the restrictions on each key to "Android apps". You will need to enter your package name and SHA1 fingerprint.
To extract your SHA1 fingerprint from your keystore file, use the command line "keytool" app. Open a command prompt as administrator, change the directory to C:\Program Files\Java\jdk1.8.0_301\bin (or whatever jdk version you have), and then run: keytool -exportcert -keystore "[FILEPATH TO YOUR KEYSTORE]" -list -v
You'll need to enter your password, then it should pop out your SHA1, which you enter into the Google Cloud Console to restrict your API keys to Android apps.
01-05-2022 04:01 PM
After doing that, I created a new build (without changing a thing in Unity), uploaded it, and it passed the security vulnerability test.
05-06-2022 11:48 PM
I thought Firebase sdk's need Google play services libraries. I see quest 2 doesn't have those inbuilt.
How did you manage to make it work?
05-09-2022 10:03 AM
Google Play services are no longer required with the latest version of the Firebase SDK!