So, I've been trying to use the Google Play Developer API in our app directly via HTTP requests, and we have a service account that can communicate with the API. Specifically, I'm going to use it for subscription tracking (expiry time, purchase state etc.)
I already have access_token, refresh_token, client_id and client_secret which is encrypted in the app as binary. It is possible to get responses from the API directly, I can tell it works, and I'm fairly sure the method to store the information is secure enough.
Considering this, I was wondering if it is a good idea to use the developer API directly on devices because I don't have a backend server that powerful to secure the connection in between. Would the sent-received information be considered as sensitive and should be completely protected? Or using HTTPS (as developer API requires) is enough?
I'd also like to know if Google permits the usage of developer API in multiple devices (I'm talking about more than 100k devices) instead of from a secure backend server, or if it is completely forbidden and goes against their policy to use it from multiple devices, and that the API has to be used from a backend server directly.
Does anybody use the developer API HTTP calls directly in devices? If you do, can you tell me if you have experienced problems regarding to security or policy? Or, do you know that using it is already forbidden?
Any help is appreciated, thank you.
Side note: I am aware that using a secure backend server is a better option for this occasion, but I'm asking this because I can't use it. Please keep that in mind before answering & commenting on this question, thank you.
The short answer is yes - you can use it directly from the device and nothing will prevent it from even get published on a playstore - I have done it for push notifications and it works.
I know that there is a limitation for some APIs per
client_idand there is a limitation of possibleclient_idsper project(here is a bit more details)Regarding the access_token, refresh_token, - don't store them in a binary - those values are volatile, thus may and will be changes over time - get them during a runtime of the app and store afterwards.
You may also use Firebase remote config to store sensitive values(or even use Firebase cloud functions to handle API access - it will be much more secure).
access_token, refresh_token, client_id and client_secret - all these values are not considered very private or sensitive generally speaking. The one thing that could be bad - if someone get an access to it - they may use it to access your clients data stored somewhere in you google cloud platform or exceed you APIs limits and make you pay for that.
Thus it is secure depending on the information of your users you want to store and exchange, and which APIs you want to use. No one may tell you if you should or shouldn't do it except you - because no one will share a possible outcome and responsibility, but from a technical point of view there are no significant obstacles for such a thing.