Google Cloud Storage Authentication

5
votes

I build Android app link to Google Cloud Storage. I want to allow access to GCS to my android app ONLY.

Google offers three solutions to securely connect to GCS:

  • Oauth 2.0 (So with google account)
  • Cookie-base Account (With google account too)
  • Service Account Authentication (With private Key, but locally installed on Android App: Very Bad if someone decompile my .apk)

Source: https://developers.google.com/storage/docs/authentication?hl=FR

Is there any other solution to connect securely over GCS ? I would like to connect on GCS to this way (Restrict to Android client ID: SHA1 to your .apk) : https://developers.google.com/appengine/docs/java/endpoints/auth

It is possible with GCS ? Should I use Blobstore to do that ?

Thanks in advance

2
google-app-engineauthenticationgoogle-cloud-storagegoogle-cloud-endpointsblobstore
I have posted a new question. It's related. stackoverflow.com/q/28001476/3216207Oru

2 Answers

4
votes

This is something of a fundamental problem with computing. You can never completely trust that an application running on hardware that is under the total control of an unknown third party has not been somehow tampered with. There are many, many techniques to make tampering much more difficult, but remote systems will never be completely secure. There are several ways to verify that a user has a particular Google account, but you can't easily trust with certainty that a certain app is exactly your app.

That said, there are plenty of ways to design a secure application without trusting the client. What does your app need to be authorized to do? Upload objects? Download secure objects? Is there something bad that a user masquerading as your application could do?

0
votes

I think you can use 1) to authenticate the information. The app will forward the authentication request to your server (with your own app login token), and when the user is validated by your own services, then the app will receive the oauth token to send to gcloud and receive the desired file.