Restrict Firebase API key to Android app package name. (#690)

* Implement Firebase segmentation SDK device local cache

* [Firebase Segmentation] Add custom installation id cache layer and tests for it.

* Add test for updating cache

* Switch to use SQLiteOpenHelper

* Switch to use SharedPreferences from SQLite.

* Change the cache class to be singleton

* Wrap shared pref commit in a async task.

* Address comments

* Google format fix

* Replace some deprecated code.

* Package refactor

* nit

* nit

* Add the state machine of updating custom installation id in the local
cache and update to Firebase Segmentation backend. CL also contains unit
tests.
(The http client is not implemented yet.)

* minor format fix

* Address comments #1

* Http client in Firebase Segmentation SDK to call backend service.

* Revert unintentional change

* Fix connected device test

* Fix connected device test

* 1. Add a few annotations to make java code Kotlin friendly
2. Some fixes for the http request format

* Fix java format

* Fix API version

* Change the segmentation API implementation to synchronous and put the
entire synchronous code block in async task.

* Fix a async getResult race issue.

* OkHttpClient -> HttpsUrlConnection

* Use gzip for compressing content and fix ourput stream memory leak risk.

* Addressed a few comments

* FirebaseSegmentation SDK
1. Clean up http client response code.
2. When updateCustomInstallationId is called, on non-retryable server errors, the SDK should clean up the local cache. Instead, for retryable errors, SDK can keep the local cache for retrying update later.

* Restrict Firebase API key to Android app package name.

Author: diwu-arete

firebase-segmentation/src/main/java/com/google/firebase/segmentation/FirebaseSegmentation.java

@@ -35,6 +35,8 @@
 /** Entry point of Firebase Segmentation SDK. */
 public class FirebaseSegmentation {
 
+  public static final String TAG = "FirebaseSegmentation";
+
   private final FirebaseApp firebaseApp;
   private final FirebaseInstanceId firebaseInstanceId;
   private final CustomInstallationIdCache localCache;
@@ -46,7 +48,7 @@ public class FirebaseSegmentation {
         firebaseApp,
         FirebaseInstanceId.getInstance(firebaseApp),
         new CustomInstallationIdCache(firebaseApp),
-        new SegmentationServiceClient());
+        new SegmentationServiceClient(firebaseApp.getApplicationContext()));
   }
 
   FirebaseSegmentation(

firebase-segmentation/src/main/java/com/google/firebase/segmentation/remote/SegmentationServiceClient.java

@@ -14,7 +14,14 @@
 
 package com.google.firebase.segmentation.remote;
 
+import static com.google.firebase.segmentation.FirebaseSegmentation.TAG;
+
+import android.content.Context;
+import android.content.pm.PackageManager;
+import android.util.Log;
 import androidx.annotation.NonNull;
+import com.google.android.gms.common.util.AndroidUtilsLight;
+import com.google.android.gms.common.util.Hex;
 import java.io.IOException;
 import java.net.URL;
 import java.util.zip.GZIPOutputStream;
@@ -37,6 +44,14 @@ public class SegmentationServiceClient {
   private static final String JSON_CONTENT_TYPE = "application/json";
   private static final String CONTENT_ENCODING_HEADER_KEY = "Content-Encoding";
   private static final String GZIP_CONTENT_ENCODING = "gzip";
+  private static final String X_ANDROID_PACKAGE_HEADER_KEY = "X-Android-Package";
+  private static final String X_ANDROID_CERT_HEADER_KEY = "X-Android-Cert";
+
+  private final Context context;
+
+  public SegmentationServiceClient(@NonNull Context context) {
+    this.context = context;
+  }
 
   public enum Code {
     OK,
@@ -78,6 +93,9 @@ public Code updateCustomInstallationId(
           "Authorization", "FIREBASE_INSTALLATIONS_AUTH " + firebaseInstanceIdToken);
       httpsURLConnection.addRequestProperty(CONTENT_TYPE_HEADER_KEY, JSON_CONTENT_TYPE);
       httpsURLConnection.addRequestProperty(CONTENT_ENCODING_HEADER_KEY, GZIP_CONTENT_ENCODING);
+      httpsURLConnection.addRequestProperty(X_ANDROID_PACKAGE_HEADER_KEY, context.getPackageName());
+      httpsURLConnection.addRequestProperty(
+          X_ANDROID_CERT_HEADER_KEY, getFingerprintHashForPackage());
       GZIPOutputStream gzipOutputStream =
           new GZIPOutputStream(httpsURLConnection.getOutputStream());
       try {
@@ -143,6 +161,9 @@ public Code clearCustomInstallationId(
           "Authorization", "FIREBASE_INSTALLATIONS_AUTH " + firebaseInstanceIdToken);
       httpsURLConnection.addRequestProperty(CONTENT_TYPE_HEADER_KEY, JSON_CONTENT_TYPE);
       httpsURLConnection.addRequestProperty(CONTENT_ENCODING_HEADER_KEY, GZIP_CONTENT_ENCODING);
+      httpsURLConnection.addRequestProperty(X_ANDROID_PACKAGE_HEADER_KEY, context.getPackageName());
+      httpsURLConnection.addRequestProperty(
+          X_ANDROID_CERT_HEADER_KEY, getFingerprintHashForPackage());
       GZIPOutputStream gzipOutputStream =
           new GZIPOutputStream(httpsURLConnection.getOutputStream());
       try {
@@ -175,4 +196,24 @@ private static JSONObject buildClearCustomSegmentationDataRequestBody(String res
       throws JSONException {
     return new JSONObject().put("name", resourceName);
   }
+
+  /** Gets the Android package's SHA-1 fingerprint. */
+  private String getFingerprintHashForPackage() {
+    byte[] hash;
+
+    try {
+      hash = AndroidUtilsLight.getPackageCertificateHashBytes(context, context.getPackageName());
+
+      if (hash == null) {
+        Log.e(TAG, "Could not get fingerprint hash for package: " + context.getPackageName());
+        return null;
+      } else {
+        String cert = Hex.bytesToStringUppercase(hash, /* zeroTerminated= */ false);
+        return Hex.bytesToStringUppercase(hash, /* zeroTerminated= */ false);
+      }
+    } catch (PackageManager.NameNotFoundException e) {
+      Log.e(TAG, "No such package: " + context.getPackageName(), e);
+      return null;
+    }
+  }
 }