I followed this tutorial: https://www.crazycodersclub.com/android/how-to-use-google-sheet-as-database-for-android-app-1-insert-operation/
Somehow, I got it working for androidX. I want to send sensitive location information over the air to my Google sheet link. How secure is this? I have used OAuth2 with gspread in Python before, and relied on a .json key. This seems so much easier... Can users discover my link and read my private entries? Or is there some limitation where they can only send data to the sheet?
Web app code:
var ss = SpreadsheetApp.openByUrl("Add Your Spread Sheet URL here");
var sheet = ss.getSheetByName('Items'); // be very careful ... it is the sheet name .. so it should match
function doPost(e){
var action = e.parameter.action;
if(action == 'addItem'){
return addItem(e);
}
}
function addItem(e){
var date = new Date();
var id = "Item"+sheet.getLastRow(); // Item1
var itemName = e.parameter.itemName;
var brand = e.parameter.brand;
sheet.appendRow([date,id,itemName,brand]);
return ContentService.createTextOutput("Success").setMimeType(ContentService.MimeType.TEXT);
}
My sheet is set to be viewable only by me. The webapp is deployed as everyone has access even anonymous
this is how it's called in the android app:
StringRequest stringRequest = new StringRequest(Request.Method.POST, "Add Your Web App URL",
new Response.Listener<String>() {
@Override
public void onResponse(String response) {
loading.dismiss();
Toast.makeText(AddItem.this,response,Toast.LENGTH_LONG).show();
Intent intent = new Intent(getApplicationContext(),MainActivity.class);
startActivity(intent);
}
},
new Response.ErrorListener() {
@Override
public void onErrorResponse(VolleyError error) {
}
}
The only data that your web app will serve is that which is returned from your doGet()
or doPost()
functions. If your sheet data is not returned, then it will be unviewable.
Just to summarise the comment chain above:
Only me
then even with the Sheet link, no one will be able to view it.Publish as web app
dialog as below:doGet()
or doPost()
function will run, HTTP method dependent. If you have no doGet()
, then doPost()
will run.
doPost()
does not display the Sheet information, then the Sheet information will not be retrievable to the user.doPost()
function, the user will also be blind to the Sheet's ID and can not reverse engineer it.Additionally, if you want to mitigate Web App usage entirely, you can implement adding data to the Sheet directly using the Google Sheets API Java Client Library. You can also see the Quickstart on how to get this set up here.