Unleash the Power of Gemini Models on Android: Secure Integration with Vertex AI and Firebase
Written by George Soloupis ML and Android GDE.
This blog post guides you through a streamlined and secure approach to integrating Gemini models with your Android apps using Vertex AI and the Firebase SDK. While various methods exist for leveraging Gemini, this approach stands out for its simplicity and robust security by eliminating the need to expose your API key within your app.
Key Benefits:
- Effortless Integration: Enjoy a straightforward and efficient process for incorporating Gemini models into your Android applications.
- Uncompromising Security: Protect your API and sensitive data by utilizing Firebase’s secure authentication and authorization mechanisms.
- Enhanced Trust and Reliability: Leverage App Check and Play Integrity to ensure the authenticity and integrity of all communication with Firebase servers.
The documentation for using the Gemini API with Vertex in Firebase is clear, concise, and easy to follow. Let’s see one by one the implementation paths:
- Connect your app to Firebase
There are multiple options to connect the app but the recommended is by adding Firebase using the Firebase console. This process involves creating a Firebase project in the Firebase console, generating, downloading and placing the google-services.json file inside the android app, adding the Firebase SDK dependencies to your app’s build.gradle file, and finally building and running your app to ensure everything is functioning as expected.
2. Install the SDK and initialize inside android
Make sure your app targets API level 21 or higher. Set up a Firebase project and connect your app to Firebase, your plan has to be upgraded to Blaze (pay as you go) and two APIs have to be enabled at Google Cloud Console.
Add the Vertex AI in Firebase SDK to your app:
dependencies {
// ... other androidx dependencies
// add the dependency for the Vertex AI in Firebase SDK for Android
// check for any updates for the library
implementation("com.google.firebase:firebase-vertexai:16.0.0-beta04")
}3. Call the Gemini API
The easiest way to check if this is working is by using the generateContent() function:
// Initialize the Vertex AI service and the generative model
// Specify a model that supports your use case
// Gemini 1.5 models are versatile and can be used with all API capabilities
val generativeModel = Firebase.vertexAI.generativeModel("gemini-1.5-flash")
// Provide a prompt that contains text
val prompt = "Write a story about a magic backpack."
// To generate text output, call generateContent with the text input
val response = generativeModel.generateContent(prompt)
print(response.text)There are several capabilities available, including text-only prompts, multimodal prompts, multi-turn conversations (chat), and function calling. You can choose the option that best suits your specific task.
4. Prepare for production
Using the Gemini API with Vertex requires a paid plan. It’s essential to ensure that only your app — typically the production version distributed through the Google Play Console — can access and utilize the Gemini API. You can use Firebase App Check to verify that all API calls are from your actual app.
To enable App Check in an Android app, you can use the built-in Play Integrity provider. That involves enabling Play Integrity API at the Google Play Console, register your apps to use App Check with the Play Integrity provider in the App Check section of the Firebase console using the SHA256 fingerprint key that Google Play Console is using to sign your app (in case you have opted in to Google Play Console to manage your signing key).
Clicking above the Play Integrity tab you can place and save the SHA256 key.
Then when everything is set you can enable App Check enforcement:
Important:
- By the time you will enable Enforce your debug or release local android builds will fail passing the App Check. To continue using the Gemini API during your development you have to use a debug App Check provider!
- Remember to use your signing key that Google Play Console is using to sign your app inside the Firebase tab App Check -> Apps -> your application -> Play Integrity.
By following the above two important rules only your app that is downloaded from Google Play will be able to use your Gemini API.
If you download the app from the Google Play Console and you have the knowledge to get the .apk and download it to your computer you can try to view the signing key using keytool library. This though has no effect and using:
keytool -printcert -jarfile /home/dell/Downloads/base.apkyou will get: “Not a signed jar file”
Remember as the documentation is stating:
- With App Check, devices running your app use an app or device attestation provider that verifies one or both of the following:
- Requests originate from your authentic app
- Requests originate from an authentic, untampered device
This attestation is attached to every request your app makes using the Vertex AI Gemini API. When you enable App Check enforcement, requests from clients without a valid attestation will be rejected, as will any request originating from an app or platform you haven’t authorized.
3. For insights inside the Google Play Console follow these instructions.
4. App Check relies on the strength of its attestation providers to determine app or device authenticity. It prevents some, but not all, abuse vectors directed towards your backends. Using App Check does not guarantee the elimination of all abuse, but by integrating with App Check, you are taking an important step towards abuse protection for your backend resources.
Conclusion
The blog post provided an insight of a secure and efficient method for integrating Gemini models into Android apps using Vertex AI and Firebase. The guide emphasized in avoiding the exposure of API keys and highlighted the key benefits: effortless integration, enhanced security through Firebase’s authentication and authorization, and increased reliability by using App Check and Play Integrity. It walked through the steps of connecting your app to Firebase, installing the necessary SDK, calling the Gemini API, and preparing the app for production while ensuring only authorized versions can access the API.
