5

I am using Google directions api in my app. Recently, I got warning from Google about the API key saying:

Your app contains exposed Google Cloud Platform (GCP) API keys

This is because the directions API needs auth key(I have that key in strings.xml file, and appending it from there). On the console, package name and SHA1 for app is already added alongwith restricting the API. I read about setting up GCP service account but not getting idea of how to use it. As per docs, we should set environment variable and provide credentials through it. Does this means I have to store the generated json file in my application and get credentials from there(as mentioned in the docs). If not, then what should be best approach for mobile apps.

Update: The generated google-services.json itself has api key in it.

Nitish
  • 3,097
  • 13
  • 45
  • 80

3 Answers3

1

The best source for this is the Google Documentation itself

From the docs -

If you embed GCP API keys in your applications, those keys will become publicly available. This exposure of your API keys could lead to unexpected charges and quota changes in your app’s account. We recommend fixing this issue in your app using one of the following ways:

  1. If possible, use GCP service accounts in lieu of GCP API keys for authenticating your app. A GCP service account is a Google account associated with your GCP project. More details on creating and using service accounts can be found here.

  2. Add restrictions to your API key so that only your apps are allowed to use the API key. More details on adding restrictions to API keys can be found here.

Please review the GCP best practices for securely using API keys.

Thalish Sajeed
  • 1,351
  • 11
  • 25
  • 1
    I posted this question only after going through the docs. API restriction is there since the time it is in use in my project – Nitish Aug 17 '19 at 06:48
  • @Nitish Were you able to find a relevant answer for this? I am still receiving this warning from Google on the play console – Gaurav Arora Aug 17 '22 at 07:25
0

This is the wrong way to expose that API to an Android application, because it would expose the service-account credentials, which can be extracted from the package. Use google-maps-services-java instead - it just would need to be back-ported to JRE 7 (building from source while adding two methods), because it depends on Java 8 Instant, which is only available on newer versions of Android, which use JRE 8 (that library does not officially support Android).

In order not to expose the Maps API key, it needs to be restricted to the fingerprints of that Android application (these might be several fingerprints, one for debug, release and eventually Play Store).

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • The key is restricted since the time it is in use. I'm not sure why it started giving warnings.Going back to GCP documentation, I am focussing on using GCP service account. Just running some tests. Would post it here once done:). But they are taking api key in exposed manner since very long time. For end applications, even storing on own server is not a solution as traffic can be intercepted. Any ways, it still need the client app to have json file, containing service account keys not sure how safe it is. – Nitish Aug 17 '19 at 06:44
0

Your app contains exposed Google Cloud Platform (GCP) API keys

So this means you have GCP key which is restricted as NONE which can be used by any one in browser or application.

if you are using it in your application then you need to mention 2 things in GCP

You need to restrict key for ANDROID

  1. Package Name : com.yourpackage

  2. SHA1 key : Right - Top Side GRADLE in tha TASKS - ANDROID - SIGNING REPORT double click on it you will get SHA1 key at RUN TAB

Just use this into your GCP to restrict your application.

Amjad Khan
  • 1,309
  • 15
  • 32