1) If your signing key is compromised, then someone with that information would be able to make calls by spoofing the client signature from your app.
2) Based on the documentation, it looks like no, but without knowing what was said in the SO thread, I wouldn't put money on it one way or the other. On Sunday, December 14, 2014 10:27:51 AM UTC-6, Gannicus wrote: > > Hello, > > I am using Cloud Endpoints with Java to create my API and I would like to > be used only by my android client application. > I read the Google documentation and it seems like I have to generate an ID > thanks to the SHA1 fingerprint. > > However I would like to have a confirmation on this: > > 1) Does it really restrict API calls to my android client only? I don't > want any possibility to call it thanks to a REST client, a browser or > something like that. > > 2) Some part I didn't understand -I read something about it on Stack > Overflow- : do the users have to own a google account to use my android > client then? > > Thank you. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/d/optout.
