I am trying to secure my Android application. It uses authentication provided by Google Firebase, I also store some information using Firebase Real-time database, and finally, the main functionality of the app relies on Speech-to-Text API provided also by Google.
I believe all these, can be restricted to one application (package name and app signature).
I have been playing the classic exclusion experiment, by enabling then disabling one API at a time, I couldn't find the right combination, nor any hint, any restriction yields a complete "UNAUTHORIZED" access.
The only option running now is not to restrict at all.
For what I tried already:
Always with
Without any restriction at all, all works great, Authentication/database and speech-to-text; The project connects well with the only first App level connection by providing package name and application signature hash.
I find solution myself, banal canonical approach:
Example