flutterfire icon indicating copy to clipboard operation
flutterfire copied to clipboard

Published 20 hours ago • verified publisher icon firebase

[firebase_ai]: Requests from this Android client application <empty> are blocked

Open JamesCullum opened this issue 1 week ago • 4 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues.

Which plugins are affected?

Other

Which platforms are affected?

Android

Description

Google recommends to restrict API keys, and even sent me a warning email for malicious traffic using one of my Android API keys. Afterwards, I locked down the Google API to my Android app (via Flutter) and this works with all Firebase functionalities on both iOS and Android.

I am using AppCheck, Firestore, Crashlytics, Analytics, Remote Config and now Firebase AI Logic (via the firebase_ai package).

I am trying to call a server prompt as below. It throws an immediate error with the message Requests from this Android client application <empty> are blocked, but only for the FirebaseAI function. The hashes match and all other Firebase functions work as intended.

My suspicion is that the firebase_ai package calls the google API without providing the X-Android-Package and X-Android-Cert headers.

Reproducing the issue

Configure firebase_ai on Flutter with the newest versions (SDK & Plugins). Generate an API key on Google API Console and restrict the usage to android apps with specific hashes.

Code as below:

try {
      final serverPromptId =
          puzzleOpenViewPuzzlesRecord!.aiOptions.server_prompt_id!;

      // Read the audio file from the path
      final audioFile = File(_model.recordedAudioPath!);
      final audioBytes = await audioFile.readAsBytes();
      final base64String = base64Encode(audioBytes);
      String mimeType =
          mimeFromExtension(_model.recordedAudioPath!) ?? 'audio/mpeg';

      var aiModel = FirebaseAI.googleAI(
        appCheck: FirebaseAppCheck.instance, // this did not change anything on this error
        auth: FirebaseAuth.instance, // this did not change anything on this error
      ).templateGenerativeModel();

      var response = await aiModel.generateContent(
        serverPromptId,
        inputs: {
          "attachment": base64String,
          "mimeType": mimeType,
        },
      );

      // Nothing here is called, because generateContent throws the error
    } catch (e) {
      ScaffoldMessenger.of(context).showSnackBar(
        SnackBar(
          content: Text('Error: $e'),
          backgroundColor: FlutterFlowTheme.of(context).error,
        ),
      );
    } finally {
      if (mounted) {
        setState(() {
          _model.aiLoading = false;
        });
      }
    }

Firebase Core version

4.2.1

Flutter Version

3.38.3

Relevant Log Output

Requests from this Android client application <empty> are blocked

Flutter dependencies

Expand Flutter dependencies snippet 

Dart SDK 3.10.1
Flutter SDK 3.38.3
gourmet_detectives 2.7.0+52

dependencies:
- after_layout 1.2.0 [flutter]
- auto_size_text 3.0.0 [flutter]
- badges 3.1.2 [flutter]
- cached_network_image 3.4.1 [cached_network_image_platform_interface cached_network_image_web flutter flutter_cache_manager octo_image]
- chewie 1.13.0 [cupertino_icons flutter provider video_player wakelock_plus]
- cloud_firestore 6.1.0 [cloud_firestore_platform_interface cloud_firestore_web collection firebase_core firebase_core_platform_interface flutter meta]
- confetti 0.7.0 [flutter vector_math]
- csv 6.0.0
- easy_debounce 2.0.3
- equatable 2.0.7 [collection meta]
- firebase_ai 3.6.0 [firebase_app_check firebase_auth firebase_core firebase_core_platform_interface flutter http meta web_socket_channel]
- firebase_analytics 12.0.4 [firebase_analytics_platform_interface firebase_analytics_web firebase_core firebase_core_platform_interface flutter]
- firebase_app_check 0.4.1+2 [firebase_app_check_platform_interface firebase_app_check_web firebase_core firebase_core_platform_interface flutter]
- firebase_auth 6.1.2 [firebase_auth_platform_interface firebase_auth_web firebase_core firebase_core_platform_interface flutter meta]
- firebase_core 4.2.1 [firebase_core_platform_interface firebase_core_web flutter meta]
- firebase_crashlytics 5.0.5 [firebase_core firebase_core_platform_interface firebase_crashlytics_platform_interface flutter stack_trace]
- firebase_remote_config 6.1.2 [firebase_core firebase_core_platform_interface firebase_remote_config_platform_interface firebase_remote_config_web flutter]
- flip_card 0.7.0 [flutter]
- flutter 0.0.0 [characters collection material_color_utilities meta vector_math sky_engine]
- flutter_animate 4.5.2 [flutter flutter_shaders]
- flutter_localizations 0.0.0 [flutter intl path]
- flutter_secure_storage 9.2.4 [flutter flutter_secure_storage_linux flutter_secure_storage_macos flutter_secure_storage_platform_interface flutter_secure_storage_web flutter_secure_storage_windows meta]
- flutter_slidable 3.1.2 [flutter]
- font_awesome_flutter 10.12.0 [flutter]
- from_css_color 2.0.0 [flutter]
- geolocator 14.0.2 [flutter geolocator_platform_interface geolocator_android geolocator_apple geolocator_web geolocator_windows geolocator_linux]
- go_router 14.8.1 [collection flutter flutter_web_plugins logging meta]
- google_fonts 6.3.2 [crypto flutter http path_provider]
- google_maps_flutter 2.14.0 [flutter google_maps_flutter_android google_maps_flutter_ios google_maps_flutter_platform_interface google_maps_flutter_web]
- in_app_review 2.0.11 [flutter in_app_review_platform_interface]
- intl 0.20.2 [clock meta path]
- json_path 0.7.6 [iregexp maybe_just_nothing petitparser rfc_6901]
- lottie 3.3.2 [archive flutter http path vector_math]
- marquee 2.3.0 [fading_edge_scrollview flutter]
- mime_type 1.0.1
- page_transition 2.2.1 [flutter]
- permission_handler 12.0.1 [flutter meta permission_handler_android permission_handler_apple permission_handler_html permission_handler_windows permission_handler_platform_interface]
- photo_view 0.15.0 [flutter]
- provider 6.1.5+1 [collection flutter nested]
- salomon_bottom_bar 3.3.2 [flutter]
- share_plus 10.1.4 [cross_file meta mime flutter flutter_web_plugins share_plus_platform_interface file url_launcher_web url_launcher_windows url_launcher_linux url_launcher_platform_interface ffi web win32]
- shared_preferences 2.5.3 [flutter shared_preferences_android shared_preferences_foundation shared_preferences_linux shared_preferences_platform_interface shared_preferences_web shared_preferences_windows]
- synchronized 3.4.0
- timeago 3.7.1 [intl]
- tutorial_coach_mark 1.3.3 [flutter]
- url_launcher 6.3.2 [flutter url_launcher_android url_launcher_ios url_launcher_linux url_launcher_macos url_launcher_platform_interface url_launcher_web url_launcher_windows]
- video_player 2.10.1 [flutter html video_player_android video_player_avfoundation video_player_platform_interface video_player_web]
- voice_note_kit 1.3.3 [flutter http just_audio just_waveform path_provider permission_handler record]
- webview_flutter 4.13.0 [flutter webview_flutter_android webview_flutter_platform_interface webview_flutter_wkwebview]

dev dependencies:
- dependency_validator 4.1.3 [analyzer args build_config checked_yaml glob io json_annotation logging package_config path pub_semver pubspec_parse yaml]
- flutter_launcher_icons 0.13.1 [args checked_yaml cli_util image json_annotation path yaml]
- flutter_test 0.0.0 [flutter test_api matcher path fake_async clock stack_trace vector_math leak_tracker_flutter_testing collection meta stream_channel]
- integration_test 0.0.0 [flutter flutter_driver flutter_test path vm_service]
- patrol 3.20.0 [boolean_selector equatable flutter flutter_test http json_annotation meta patrol_finders patrol_log shelf test_api]

dependency overrides:
- fading_edge_scrollview 4.1.1 [flutter]

Additional context and comments

Requests from this Android client application are blocked

JamesCullum avatar Nov 30 '25 17:11 JamesCullum