I have a question about the subject.
I sometimes used Google Maps when creating apps.
"We created it by referring to books, etc., and there was a procedure in which ""acquire API keys from certificate fingerprints."""
I was able to successfully create the app using the procedure described, but I do not understand what is being done with this procedure.
Professor, thank you for your cooperation.
Google needs to know who (which apps) are using the API.This "who" identifies is a string called the "API key."API usage is related to billing and so on, so you have to keep your API key secret so that others don't use of your API key.
However, in the case of an application that is placed in the hands of a user, the API key can be stolen because the user can analyze the application containing the API key freely.It's difficult to keep the key from being stolen, so I decided to ask for "evidence that it's an application linked to that API key" instead.This is the certificate fingerprint and package name.
*If it is not an Android app, I will use other evidence
When installing the Android app on the actual machine, you must sign it digitally.Only the developer of the app has the private key and certificate used at this time, so even if someone creates an app with the same name, it is difficult to create an app with the same signature.This way, you don't have to embed the key itself, so you don't have to risk stealing from the distributed apps.
The certificate fingerprint is a unique value calculated from the certificate, and different or tampered certificates have different values.The certificates used for Android apps and Java digital signatures are managed by a tool called keytool, and fingerprints are also calculated using this tool.
The keys used for digital signatures can be the same for multiple apps, so I will register the package name as well.This prevents API keys from being used around between apps, but I'm not sure why.
© 2024 OneMinuteCode. All rights reserved.