Protect your ML Kit Android app's Cloud credentials

If your Android app uses one of ML Kit's cloud APIs, before you launch your app in production, you should take some additional steps to prevent unauthorized API access.

For your production apps, you will ensure that only authenticated clients can access cloud services. (Note that only non-rooted devices can authenticate using the method described.)

Then, you will create a debug-only API key that you can use for convenience during testing and development.

1. Register your production apps with Firebase

First, register your production apps with Firebase.

The fastest way to do this is to link your Firebase Project with your Google Play project. You can do so from the Integrations section of your project settings in the Firebase console.

When you link your projects, your production apps' SHA-1 signatures are imported into your Firebase project, which you can confirm on the Settings page. Note that linking your Firebase and Google Play projects also makes other Google Play data, including crash and revenue statistics, accessible to Firebase, and Firebase data, including analytics, accessible to Google Play.

Alternatively, if you don't want to share data between your Firebase and Google Play projects, you can specify your apps' SHA-1 signatures yourself on the Settings page. See Authenticating your client to learn how to get your apps' SHA-1 signatures.

2. Restrict the scope of your API keys

Next, configure your existing API keys to disallow access to the Cloud Vision API:

  1. Open the Credentials page of the Cloud console.

  2. For each API key in the list, open the editing view, and in the Key Restrictions section, add all of the available APIs except the Cloud Vision API to the list.

3. Create and use a debug-only API key

Finally, create a new API key to be used only for development. ML Kit can use this API key to access Cloud services in environments where app authentication isn't possible, such as when running on emulators.

  1. Create a new API key to be used for development:

    1. Open the Credentials page of the Cloud console.
    2. Click Create credentials > API key and take note of the new API key. This key allows API access from unauthenticated apps, so keep this key confidential.
  2. To ensure the new debug API key is not leaked with your released app, specify the debug API key in an Android manifest file used only for debug builds:

    1. If you don't already have a debug manifest, create one by clicking File > New > Other > Android Manifest File and selecting debug from the target source sets.

    2. In the debug manifest, add the following declaration:

      <application>
      <meta-data
          android:name="com.firebase.ml.cloud.ApiKeyForDebug"
          android:value="your-debug-api-key" />
      </application>
      
  3. In your app, configure ML Kit to use certificate fingerprint matching to authenticate your client in production and to use API keys—the debug key—only in debug builds:

    FirebaseVisionCloudDetectorOptions.Builder optionsBuilder =
            new FirebaseVisionCloudDetectorOptions.Builder();
    if (!BuildConfig.DEBUG) {
        // Requires physical, non-rooted device:
        optionsBuilder.enforceCertFingerprintMatch();
    }
    
    // Set other options. For example:
    optionsBuilder.setModelType = FirebaseVisionCloudDetectorOptions.STABLE_MODEL;
    // ...
    
    // And lastly:
    FirebaseVisionCloudDetectorOptions options = optionsBuilder.build();
    FirebaseVision.getInstance().getVisionCloudLabelDetector(options).detectInImage(....)
    

Next steps

See the launch checklist for information on preparing your app to launch when using other Firebase features.

Send feedback about...

Need help? Visit our support page.