Google play console gives security alert - Vulnerable
Can anyone have idea why is it giving security alert
Here are the builld.gradle file the library which Iām using in app.
compileSdkVersion 28
defaultConfig {
applicationId ā************ā
minSdkVersion 16
targetSdkVersion 28
versionCode 126
versionName "2.14.3"
multiDexEnabled true
testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
// resConfigs "en" // Commented because need to support MultiLanguage
ndk.abiFilters 'armeabi-v7a', 'arm64-v8a', 'x86', 'x86_64'
}
api 'androidx.legacy:legacy-support-v4:1.0.0-beta01'
api 'androidx.appcompat:appcompat:1.0.0-beta01'
api 'com.google.android.material:material:1.0.0-beta01'
api 'androidx.cardview:cardview:1.0.0-beta01'
api 'androidx.recyclerview:recyclerview:1.0.0-beta01'
api 'com.google.android.gms:play-services-maps:17.0.0'
api 'com.google.android.gms:play-services-places:17.0.0'
api 'com.google.android.libraries.places:places:2.1.0'
api 'com.google.android.gms:play-services-auth:17.0.0'
api 'androidx.multidex:multidex:2.0.1'
api 'com.google.firebase:firebase-core:17.2.1'
api 'com.google.firebase:firebase-messaging:20.0.1'
api 'com.google.firebase:firebase-auth:19.2.0'
api 'com.google.firebase:firebase-config:19.0.3'
api 'com.google.android.play:core:1.5.0'
Alert Play Console is showing
Vulnerable locations:
**.**.*********.****.SliderImage.YouTubeVideo->onActivityResult
**.**.*********.****.SliderImage.YouTubeVideo->onCreate
**.**.*********.****.LocationAndContactActivity->setupAutocompleteFragment
**.**.*********.****.LocateOnGoogleMapActivity->setupAutocompleteFragment
**.**.*********.****.MediaDetailsActivity$13$1$1->run
**.**.*********.****.MediaDetailsActivity$6->onClick
**.**.*********.****.MediaDetailsActivity->assignYoutubeThumbnail
**.**.*********.****.adapter.MediaAdapter$3->onClick
**.**.*********.****.adapter.MediaAdapter->onBindViewHolder
**.**.*********.****.CustomPages_Adapter$4->onClick
**.**.*********.****.CustomPages_Adapter->onBindViewHolder
**.**.*********.****.adapter.CustomPagesAdapter$4->onClick
**.**.*********.****.adapter.CustomPagesAdapter->onBindViewHolder
**.**.*********.****.ProductDetailsActivity$11->onClick
**.**.*********.****.ProductDetailsActivity$26$1$1->run
**.**.*********.****.ProductDetailsActivity->onCreate
**.**.*********.****.WebPostDetailActivity->setupAutocompleteFragment
**.**.*********.****.adapter.WebPostAdapter$4->onClick
**.**.*********.****.adapter.WebPostAdapter->onBindViewHolder
**.**.*********.****.FourthStageActivity->setupAutocompleteFragment
This happens usually when your API keys are exposed which means you are using API keys directly into application code. so anyone can just extract your apk and get the API keys easily and exhaust your usage quotas.
FIX
There are several methods to hide your API keys. one of the best method is storing it in external server and retrieving it.
You may also use other methods too from the link below,
Methods with explanations
Restricting API keys
Encryption methods
Related
I am planning to use Firebase for auth purpose for my Application. The app has a java based back-end using Spring Boot. My understanding so far is that Firebase will handle different type of login options interacting directly with my front-end code and in return will give a token after user has logged in(primarily email based,Google or FB login). I have a few questions:
Does it provide a JWT type token that can be used in conjunction with my back-end without having to talk to Firebase servers from my back-end? I guess its not and SDK provides ways to validate token
Is there a good example of configuring my spring security to validate the the token and get user details?
I could not find a working example with Admin SDK of firebase using spring security.
What other tech stack options I have? I read Amazon Cognito could be one. My app is more of a POC and don't want to host my auth server as well.
What the recommendation on storing the user info in my own back-end or should I just rely on firebase servers to handle my user base?
Pardon my primitive understanding of Auth frameworks!
I am trying to secure an endpoint in spring boot using Azure spring boot libraries. I'm following the samples from https://github.com/microsoft/azure-spring-boot/tree/master/azure-spring-boot-samples/azure-active-directory-spring-boot-sample
I can't get a clear answer if I should use Id_token or Access_token when making the API call from my front end application written in React.
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
I think docs from this link above states that I should use Access_token to secure the endpoints but, in that azure-spring-boot-samples, they used id_token to make the API calls.
I've tried to use the same code and test an API call. API call is successful if I use id_token in header. It fails signature check if I pass access_token in header.
I figured this out after understanding the big picture. All applications either front end or back end most likely should be using different app IDs. On Azure portal I would define which app have permission to call which API. Then, when I get access token, I would have to specify what app I am getting access to. This is laid out in MSAL doc from Microsoft. https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens
Also, only the access_token allows you to assert claims for things like Role Based Access Control in the token. The ID token is usually shorter lived and has less information. In general it is a better practice to use the access_token.
I am using MSAL.JS to attempt to acquire a token within a single-page application (SPA).
This is the authority URI that we are seeing in the traces:
https://login.microsoftonline.us/organizations/v2.0/.well-known/openid-configuration
This produces the following error:
AADSTS50038: The API version isn't supported
Trace ID: 38d01881-d864-4ba4-b3d5-c168739f0900
Correlation ID: e9eb70cb-5774-4579-a113-53c4ca762d90
Timestamp: 2018-04-18 15:42:16Z
If I login to the portal with my credentials then call the SPA, the app authenticates and I can continue to use it. I think this is because of the browser caching the session and login information and never making the call to the V2.0 endpoint.
Received the answer to this question on a separate thread.
At present, the V2 application model is not fully implemented or supported in any sovereign cloud (Azure Government, Azure China, Azure Germany).
Once the model is tested and proven in the public cloud, it will be ported to the government clouds.
I am trying to list all the events in a certain public calendar in a nicely formatted manner on my web page without having a general/public visitor to my web site login or authenticate in any way. I have been doing this since December 2010 using v1 and the Zend Framework. On November 17, 2014 Google deprecated v1 and v2 and now my web page is broken.
Here is what I've done so far:
created a project in the Google Developer's Console
turned on Calendar API
installed PHP Client Library on my server from GitHub (yesterday - release 1.1.1)
ensured JSON PHP Extension is installed on my server
created OAuth 2.0 credentials
created Public API Access key
ensured my calendars are still publicly viewable (they have been since December 2010)
Here is my code snippet:
require_once 'autoload.php'; // 2014-11-24 part of /usr/local/lib/php/google-api-php-client
$client = new Google_Client();
$client->setApplicationName("One_of_my_Calendars");
$client->setDeveloperKey("MY-PUBLIC-API-ACCESS-KEY"); // 2014-11-24 my Public API Access Key
$service = new Google_Service_Calendar($client);
$results = $service->events->listEvents('primary');
Here is the error message I am getting:
Fatal error: Uncaught exception 'Google_Service_Exception' with message 'Error calling GET https://www.googleapis.com/calendar/v3/calendars/primary/events?key=MY-PUBLIC-API-ACCESS-KEY: (403) Access Not Configured. The API is not enabled for your project, or there is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your configuration.' in /usr/local/lib/php/google-api-php-client/src/Google/Http/REST.php:76 Stack trace: #0 /usr/local/lib/php/google-api-php-client/src/Google/Http/REST.php(41): Google_Http_REST::decodeHttpResponse(Object(Google_Http_Request)) #1 /usr/local/lib/php/google-api-php-client/src/Google/Client.php(548): Google_Http_REST::execute(Object(Google_Client), Object(Google_Http_Request)) #2 /usr/local/lib/php/google-api-php-client/src/Google/Service/Resource.php(190): Google_Client->execute(Object(Google_Http_Request)) #3 /usr/local/lib/php/google-api-php-client/src/Google/Servi in /usr/local/lib/php/google-api-php-client/src/Google/Http/REST.php on line 76
Screen Shots:
https://drive.google.com/file/d/0Bytqhoir_Tt5ODRaNzRvS2FZRWs/view?usp=sharing
https://drive.google.com/file/d/0Bytqhoir_Tt5MzlqLWF2Q3M2bUk/view?usp=sharing
Assuming you are accessing public calendars (so no need for Oauth2), there are still two issues:
Issue no.1 you need to have a working API key from a project which has Calendar API enabled in the developer console.
Issue no.2 is your usage of the keyword "primary" without being authenticated. Replace it with the email address of the calendar that you want to access.
I have a canvas app presently using Koala 1.1.0 and the Javascript SDK. I a have been using the OAuth authentication for months now but when I try and use "ouath:true" in my javascript to display the friend picker I am getting this error:
API Error Code: 102
API Error Description: Session key invalid or no longer valid
Error Message: Iframe dialogs must be called with a session key
Are there extra migrations I need to turn on within the app settings to get things working? Do I need to be on SSL right now for this to work?
Thanks,
Mark
You should upgrade Koala. Its Github repository suggests that version 1.2 supports OAuth 2.0 and the new cookie format.