Protect your Firebase ML Android app's Cloud credentials

If your Android app uses one ofFirebase ML's cloud APIs, before you launch yourapp in production, you should take some additional steps to preventunauthorized API access.

For your production apps, you will ensure that only authenticated clients canaccess cloud services. (Note that only non-rooted devices can authenticate usingthe method described.)

Then, you will create a debug-only API key that you can use for convenienceduring testing and development.

1. Register your production apps with Firebase

First, register your production apps with Firebase.

  1. Make sure that you have your app's SHA-1 signatures. Refer toAuthenticating your client to learn how.

  2. Go to yourProject settings in theFirebase console, then select theSettingstab.

  3. Scroll down to theYour apps card, then select your Android app.

  4. Add your app's SHA-1 signature to your app's information.

2. Restrict the scope of your API keys

Next, configure your existing API keys to disallow access to the Cloud VisionAPI:

  1. Open theCredentials page of theGoogle Cloud console. When prompted, select your project.

  2. For each existing API key in the list, open the editing view.

  3. In theAPI restrictions section, selectRestrict key, then add to thelist all of the APIs to which you want the API key to have access. Make suretonot include the Cloud Vision API.

    When you configure an API key'sAPI restrictions, you are explicitlydeclaring the APIs to which the key has access.By default, when theAPIrestrictions section hasDon't restrict key selected, an API key can beused to access any API that is enabled for the project.

Now, your existing API keys will not grant access to cloud ML services, but eachkey will continue to work for any APIs that you added to itsAPI restrictionslist.

Note that if you enable any additional APIs in the future, you must add them totheAPI restrictions list for the applicable API key.

3. Create and use a debug-only API key

Finally, create a new API key to be used only for development.Firebase ML canuse this API key to accessGoogle Cloud services in environments where appauthentication isn't possible, such as when running on emulators.

  1. Create a new API key to be used for development:

    1. Open theCredentials page of theGoogle Cloud console. When prompted, select your project.

    2. ClickCreate credentials > API key and take note of the new APIkey. This key allows API access from unauthenticated apps, sokeep this key confidential.

  2. To ensure the new debug API key is not leaked with your released app,specify the debug API key in an Android manifest file used only for debugbuilds:

    1. If you don't already have a debug manifest, create one by clickingFile > New > Other > Android Manifest File and selectingdebugfrom the target source sets.

    2. In the debug manifest, add the following declaration:

      <application><meta-data    android:name="com.firebase.ml.cloud.ApiKeyForDebug"    android:value="your-debug-api-key" /></application>

  3. In your app, configureFirebase ML to use certificate fingerprint matching toauthenticate your client in production and to use API keys—the debugkey—only in debug builds:

    Kotlin

    valoptionsBuilder=FirebaseVisionCloudImageLabelerOptions.Builder()if(!BuildConfig.DEBUG){// Requires physical, non-rooted device:optionsBuilder.enforceCertFingerprintMatch()}// Set other options. For example:optionsBuilder.setConfidenceThreshold(0.8f)// ...// And lastly:valoptions=optionsBuilder.build()FirebaseVision.getInstance().getCloudImageLabeler(options).processImage(myImage)

    Java

    FirebaseVisionCloudImageLabelerOptions.BuilderoptionsBuilder=newFirebaseVisionCloudImageLabelerOptions.Builder();if(!BuildConfig.DEBUG){// Requires physical, non-rooted device:optionsBuilder.enforceCertFingerprintMatch();}// Set other options. For example:optionsBuilder.setConfidenceThreshold(0.8f);// ...// And lastly:FirebaseVisionCloudImageLabelerOptionsoptions=optionsBuilder.build();FirebaseVision.getInstance().getCloudImageLabeler(options).processImage(myImage);

Next steps

See thelaunch checklist for information onpreparing your app to launch when using other Firebase features.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-03 UTC.