1

When you reverse apk files you find API keys/token somewhere in properties, manifest, strings etc. Sometimes some API keys/secrets are obvious and you can understand security impact and risk of exposing these keys. Please let me know what's the security risk involved in these keys:

  1. Google Maps API Key
  2. Fabric API key (probably can forge crash data)
  3. Twitter/FB Consumer key and secret (no auth tokens)
  4. Crashlytics SDK developer's token

Thanks

scrambler
  • 11
  • 1
  • I posted a similar issue on the Firebase Android SDK github page: https://github.com/firebase/firebase-android-sdk/issues/1583. Hope someone serious will look at this. – grebulon May 27 '20 at 08:38

1 Answers1

2

Google Maps Api Key are now subject of billing as per https://developers.google.com/maps/documentation/javascript/usage-and-billing, thus you will want to protect it very well and same goes for Twitter that started to charge for some features in their API as per https://www.theregister.co.uk/2018/08/16/has_your_twitter_app_stopped_working_heres_why.

So if they are not protected they can be hijacked from your application and used in your behalf and the usage charged to you.

Regarding the other keys I cannot comment on by now, once I don't have enough knowledge about them.

Exadra37
  • 11,244
  • 3
  • 43
  • 57
  • This answer differs a little from https://stackoverflow.com/questions/49542498/what-are-the-security-risks-with-including-google-map-api-key-in-gradle wasn't api-key-restriction an opportunity then? – m.reiter Jun 18 '21 at 06:35
  • API key restriction is always recommended to be used, but in the end of the the day it can be bypassed. – Exadra37 Jun 21 '21 at 11:37
  • "but in the end of the day it can be bypassed" -> could you please provide sources for that? I'd like to know how realistic such an attack is, since it's my personal bank account which would get billed..... – m.reiter Jun 21 '21 at 11:55
  • Google for `Android bypass api key restriction` and you will find links to several answers to your question, like [this one](https://security.stackexchange.com/a/213260) in Security StackExchange.. – Exadra37 Jun 21 '21 at 13:06