|
|
|
|
|
|
by dheera
1165 days ago
|
|
|
> it can't really be used to impersonate your app if leaked It actually can, I could create an app called com.yourbusiness.someapp, install the app directly without signing it, and use yourbusiness's API key. For the JavaScript embed APIs I could create a fake root cert, fake DNS, fake HTTP cert signed by the fake root cert, serve https://yourbusiness.com/ from my in-house server to my own laptop, and then issue queries to the Google API using yourbusiness.com as the referrer. (Or hell, just create a Chromium fork that serves up fake referrer headers.) It's just that it's not big enough of a threat that it has become an issue. |
|
|