cancel
Showing results for 
Search instead for 
Did you mean: 

Security Vulnerability - "GCP API Keys Exposed in App" after integrating Firebase Storage

AFE_Foreman
Level 4

I integrated the Firebase Unity SDK v8.7.0 for Firebase Storage and confirmed it works, but after setting it up per their documentation (https://firebase.google.com/docs/storage/unity/start) I got a security vulnerability failure, "GCP API Keys Exposed in App":

 

Security Vulnerability after Firebase Integration 2022-01-05_02.jpg

 

This appears to be due to the 'google-services.json' file that Firebase provides when you set up your project. Firebase asks you to put this file anywhere in your unity project. This file does contain an API key. But according to Firebase, it is "used when calling certain APIs that don't need to access private user data" and Firebase requires this key to work. See here: https://firebase.google.com/docs/projects/learn-more#config-files-objects

How can this issue be fixed so that my app passes the security vulnerability test?

1 ACCEPTED SOLUTION

Accepted Solutions

AFE_Foreman
Level 4

For anyone who had the same issue, this is fixed by going into the Google Cloud Console, navigating to APIs & Services > Credentials > API Keys, and changing the restrictions on each key to "Android apps". You will need to enter your package name and SHA1 fingerprint.

To extract your SHA1 fingerprint from your keystore file, use the command line "keytool" app. Open a command prompt as administrator, change the directory to C:\Program Files\Java\jdk1.8.0_301\bin (or whatever jdk version you have), and then run: keytool -exportcert -keystore "[FILEPATH TO YOUR KEYSTORE]" -list -v

You'll need to enter your password, then it should pop out your SHA1, which you enter into the Google Cloud Console to restrict your API keys to Android apps.

View solution in original post

4 REPLIES 4

AFE_Foreman
Level 4

For anyone who had the same issue, this is fixed by going into the Google Cloud Console, navigating to APIs & Services > Credentials > API Keys, and changing the restrictions on each key to "Android apps". You will need to enter your package name and SHA1 fingerprint.

To extract your SHA1 fingerprint from your keystore file, use the command line "keytool" app. Open a command prompt as administrator, change the directory to C:\Program Files\Java\jdk1.8.0_301\bin (or whatever jdk version you have), and then run: keytool -exportcert -keystore "[FILEPATH TO YOUR KEYSTORE]" -list -v

You'll need to enter your password, then it should pop out your SHA1, which you enter into the Google Cloud Console to restrict your API keys to Android apps.

AFE_Foreman
Level 4

After doing that, I created a new build (without changing a thing in Unity), uploaded it, and it passed the security vulnerability test.

I thought Firebase sdk's need Google play services libraries. I see quest 2 doesn't have those inbuilt.

How did you manage to make it work?

Google Play services are no longer required with the latest version of the Firebase SDK!