保護 Firebase ML Android 應用程式和#39 的雲端憑證
透過集合功能整理內容
你可以依據偏好儲存及分類內容。
如果 Android 應用程式使用 Firebase ML 的雲端 API,請先採取幾個額外步驟來防範未經授權的 API 存取活動,再於正式環境中啟動應用程式。
如果是實際工作環境的應用程式,請確保只有經過驗證的用戶端可以存取雲端服務。(請注意,只有未解鎖的裝置才能使用上述方法進行驗證)。
接著,您將建立僅供偵錯的 API 金鑰,方便在測試和開發期間使用。
1. 向 Firebase 註冊正式版應用程式
首先,請向 Firebase 註冊正式版應用程式。
請確認您已取得應用程式的 SHA-1 簽章。如要瞭解如何驗證用戶端,請參閱「驗證用戶端」。
前往 Firebase 控制台的「專案設定」settings,然後選取「設定」分頁。
向下捲動至「你的應用程式」資訊卡,然後選取 Android 應用程式。
在應用程式資訊中新增應用程式的 SHA-1 簽章。
2. 限制 API 金鑰的範圍
接著,設定現有的 API 金鑰,禁止存取 Cloud Vision API:
開啟 Google Cloud 控制台的「憑證」頁面。系統顯示提示訊息時,請選取您的專案。
針對清單中的每個現有 API 金鑰,開啟編輯檢視畫面。
在「API 限制」部分,選取「限制金鑰」,然後將您希望 API 金鑰可存取的所有 API 新增至清單。請不要加入 Cloud Vision API。
設定 API 金鑰的 API 限制時,您會明確聲明金鑰可存取的 API。根據預設,如果「API 限制」部分選取「不要限制金鑰」,API 金鑰可用於存取專案啟用的任何 API。
現在,現有 API 金鑰不會授予雲端 ML 服務的存取權,但每個金鑰仍可繼續用於您加進其「API 限制」清單的任何 API。
請注意,日後啟用其他 API 時,必須將這些 API 加入適用 API 金鑰的「API 限制」清單。
3. 建立及使用僅供偵錯的 API 金鑰
最後,請建立新的 API 金鑰,僅供開發使用。Firebase ML 可以在無法進行應用程式驗證的環境 (例如在模擬器上執行時),使用這個 API 金鑰存取 Google Cloud 服務。
建立新的 API 金鑰,用於開發:
開啟 Google Cloud 控制台的「憑證」頁面。系統顯示提示訊息時,請選取您的專案。
依序按一下「建立憑證」>「API 金鑰」,並記下新的 API 金鑰。未經驗證的應用程式可透過這組金鑰存取 API,因此請妥善保管這組金鑰。
為確保新偵錯 API 金鑰不會隨著發布的應用程式外洩,請在僅用於偵錯建構作業的 Android 資訊清單檔案中指定偵錯 API 金鑰:
如果沒有偵錯資訊清單,請依序點選「File」>「New」>「Other」>「Android Manifest File」,然後從目標來源集選取 debug
,建立偵錯資訊清單。
在偵錯資訊清單中加入下列宣告:
<application>
<meta-data
android:name="com.firebase.ml.cloud.ApiKeyForDebug"
android:value="your-debug-api-key" />
</application>
在應用程式中,設定 Firebase ML 使用憑證指紋比對功能,在正式版中驗證用戶端,並僅在偵錯版本中使用 API 金鑰 (偵錯金鑰):
Kotlin
val optionsBuilder = FirebaseVisionCloudImageLabelerOptions.Builder()
if (!BuildConfig.DEBUG) {
// Requires physical, non-rooted device:
optionsBuilder.enforceCertFingerprintMatch()
}
// Set other options. For example:
optionsBuilder.setConfidenceThreshold(0.8f)
// ...
// And lastly:
val options = optionsBuilder.build()
FirebaseVision.getInstance().getCloudImageLabeler(options).processImage(myImage)
Java
FirebaseVisionCloudImageLabelerOptions.Builder optionsBuilder =
new FirebaseVisionCloudImageLabelerOptions.Builder();
if (!BuildConfig.DEBUG) {
// Requires physical, non-rooted device:
optionsBuilder.enforceCertFingerprintMatch();
}
// Set other options. For example:
optionsBuilder.setConfidenceThreshold(0.8f);
// ...
// And lastly:
FirebaseVisionCloudImageLabelerOptions options = optionsBuilder.build();
FirebaseVision.getInstance().getCloudImageLabeler(options).processImage(myImage);
後續步驟
如要瞭解如何在使用其他 Firebase 功能時準備發布應用程式,請參閱發布檢查清單。
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權,程式碼範例則為阿帕契 2.0 授權。詳情請參閱《Google Developers 網站政策》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2025-08-21 (世界標準時間)。
[null,null,["上次更新時間:2025-08-21 (世界標準時間)。"],[],[],null,["\u003cbr /\u003e\n\nIf your Android app uses one of Firebase ML's cloud APIs, before you launch your\napp in production, you should take some additional steps to prevent\nunauthorized API access.\n\nFor your production apps, you will ensure that only authenticated clients can\naccess cloud services. (Note that only non-rooted devices can authenticate using\nthe method described.)\n\nThen, you will create a debug-only API key that you can use for convenience\nduring testing and development.\n\n1. Register your production apps with Firebase\n\nFirst, register your production apps with Firebase.\n\n1. Make sure that you have your app's SHA-1 signatures. Refer to\n [Authenticating your client](//developers.google.com/android/guides/client-auth)\n to learn how.\n\n2. Go to your settings\n *Project settings* in the Firebase console, then select the *Settings*\n tab.\n\n3. Scroll down to the *Your apps* card, then select your Android app.\n\n4. Add your app's SHA-1 signature to your app's information.\n\n2. Restrict the scope of your API keys\n\nNext, configure your existing API keys to disallow access to the Cloud Vision\nAPI:\n\n1. Open the [Credentials](https://console.cloud.google.com/apis/credentials?project=_) page of the\n Google Cloud console. When prompted, select your project.\n\n2. For each existing API key in the list, open the editing view.\n\n3. In the *API restrictions* section, select **Restrict key** , then add to the\n list all of the APIs to which you want the API key to have access. Make sure\n to ***not*** include the Cloud Vision API.\n\n When you configure an API key's *API restrictions* , you are explicitly\n declaring the APIs to which the key has access. **By default, when the *API\n restrictions* section has *Don't restrict key* selected, an API key can be\n used to access any API that is enabled for the project.**\n\nNow, your existing API keys will not grant access to cloud ML services, but each\nkey will continue to work for any APIs that you added to its *API restrictions*\nlist.\n\nNote that if you enable any additional APIs in the future, you must add them to\nthe *API restrictions* list for the applicable API key.\n\n3. Create and use a debug-only API key\n\nFinally, create a new API key to be used only for development. Firebase ML can\nuse this API key to access Google Cloud services in environments where app\nauthentication isn't possible, such as when running on emulators.\n\n1. Create a new API key to be used for development:\n\n 1. Open the [Credentials](https://console.cloud.google.com/apis/credentials?project=_) page of the\n Google Cloud console. When prompted, select your project.\n\n 2. Click **Create credentials \\\u003e API key** and take note of the new API\n key. This key allows API access from unauthenticated apps, so\n **keep this key confidential**.\n\n2. To ensure the new debug API key is not leaked with your released app,\n specify the debug API key in an Android manifest file used only for debug\n builds:\n\n 1. If you don't already have a debug manifest, create one by clicking\n **File \\\u003e New \\\u003e Other \\\u003e Android Manifest File** and selecting `debug`\n from the target source sets.\n\n 2. In the debug manifest, add the following declaration:\n\n ```text\n \u003capplication\u003e\n \u003cmeta-data\n android:name=\"com.firebase.ml.cloud.ApiKeyForDebug\"\n android:value=\"your-debug-api-key\" /\u003e\n \u003c/application\u003e\n ```\n3. In your app, configure Firebase ML to use certificate fingerprint matching to\n authenticate your client in production and to use API keys---the debug\n key---only in debug builds:\n\n Kotlin \n\n ```kotlin\n val optionsBuilder = FirebaseVisionCloudImageLabelerOptions.Builder()\n if (!BuildConfig.DEBUG) {\n // Requires physical, non-rooted device:\n optionsBuilder.enforceCertFingerprintMatch()\n }\n\n // Set other options. For example:\n optionsBuilder.setConfidenceThreshold(0.8f)\n // ...\n\n // And lastly:\n val options = optionsBuilder.build()\n FirebaseVision.getInstance().getCloudImageLabeler(options).processImage(myImage)https://github.com/firebase/snippets-android/blob/391c1646eacf44d2aab3f76bcfa60dfc6c14acf1/mlkit/app/src/main/java/com/google/firebase/example/mlkit/kotlin/MainActivity.kt#L30-L42\n ```\n\n Java \n\n ```java\n FirebaseVisionCloudImageLabelerOptions.Builder optionsBuilder =\n new FirebaseVisionCloudImageLabelerOptions.Builder();\n if (!BuildConfig.DEBUG) {\n // Requires physical, non-rooted device:\n optionsBuilder.enforceCertFingerprintMatch();\n }\n\n // Set other options. For example:\n optionsBuilder.setConfidenceThreshold(0.8f);\n // ...\n\n // And lastly:\n FirebaseVisionCloudImageLabelerOptions options = optionsBuilder.build();\n FirebaseVision.getInstance().getCloudImageLabeler(options).processImage(myImage);https://github.com/firebase/snippets-android/blob/391c1646eacf44d2aab3f76bcfa60dfc6c14acf1/mlkit/app/src/main/java/com/google/firebase/example/mlkit/MainActivity.java#L30-L43\n ```\n\nNext steps\n\nSee the [launch checklist](/support/guides/launch-checklist) for information on\npreparing your app to launch when using other Firebase features."]]