4

Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.

Vulnerable locations:

com.abc.Youtube_Player->onCreate

This is How my code look at the back end

public class Youtube_Player extends AppCompatActivity implements YouTubePlayer.OnInitializedListener {

    // YouTube player view

    public static final String GOOGLE_API_KEY = "<api key>";

    @Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_youtube__player);

    // Initializing video player with developer key
    mPlayerView.initialize(GOOGLE_API_KEY, this);
   }
}
Rohit Kumar Sehrawat
  • 213
  • 1
  • 5
  • 17

4 Answers4

7

You have API Key in the code. As a best practice, you should keep the secret keys in a secure system like Google Secret Manager, HashiCorp Vault, encrypted secure GCS Bucket etc.. If these option are not feasible for you, still try to put secret keys in some other property file and control access of that file.

Pradeep Bhadani
  • 4,435
  • 6
  • 29
  • 48
  • Thanks pradeep.I have implemented the above answer and hope play store will reove its warning. If its doesn't work. i will try your answer. Currently this is problem i m facing, if you know the answer. Kindly share https://stackoverflow.com/questions/59855432/manifest-merger-failed-attribute-applicationappcomponentfactory-value-androi – Rohit Kumar Sehrawat Jan 22 '20 at 10:56
3

To avoid this warning message from the console:

Leaked GCP API Keys Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.

You must define the values ​​you want to "hide" inside your gradle.properties file (if it doesn't exist, you can create it)

JORGESYS_API_KEY=key=AI9876IoaNutaEFrumoAsaAsa123An8mTRk-U
SECRET_CLIENT_API_KEY=key=AIzaSyJorgeSysIsCoOlaeB12GSET-U
SECRET_TOKEN_API_KEY=key=AIzaS12JorgeSysIsCoOlsauPrOsTaeB12GSET-U

and define the reference of these values ​​inside app/build.gradle

android {
    ...
    ...
    defaultConfig {
...
...
...
        //*Defined in gradle.properties
        buildConfigField "String", "JORGESYS_API_KEY", "\"$JORGESYS_API_KEY\""
        buildConfigField "String", "SECRET_CLIENT_API_KEY", "\"$SECRET_CLIENT_API_KEY\""
        buildConfigField "String", "SECRET_TOKEN_API_KEY", "\"$SECRET_TOKEN_API_KEY\""
    }

}

When generating your project, the BuildConfig class will be generated that will contain the values ​​and that you can assign to your application when compiling.

val myAPIKEY = BuildConfig.JORGESYS_API_KEY

These values ​​cannot be obtained by "reverse engineering"! :-)

Jorgesys
  • 124,308
  • 23
  • 334
  • 268
  • 1
    how does this help? it is trivial to decompile the app and read the keys from your BuildConfig. – bompf Jan 10 '23 at 10:35
  • This method is used to avoid get the API key values using reverse engineering. – Jorgesys Jan 11 '23 at 03:17
  • Instead of the last val definition, I use this solution for Android/Java and you can simply add this code line to call from your Gradle to your Class: import static com.example.app.BuildConfig.SECRET_TOKEN_API_KEY_FOR_MYSELF; among the import section. – Bay Jan 20 '23 at 20:27
0

You have define your api key with 'public static' it means your api key access any where in the app.And chance to leak your api key.You need to change from 'public static' to private.

ashok
  • 431
  • 5
  • 8
  • Thanks Ashok. I will amend the code as per your suggestion. If it works i will accept the answer – Rohit Kumar Sehrawat Jan 22 '20 at 07:05
  • The issue here is not about the scope of the attribute. The issue here is that the API key is hardcoded and, thus, if somebody breaks your application your key may be compromised. – joninx Jul 12 '22 at 13:13
0

Complete guide for use API Keys and avoid Leaked GCP API Keys security issue in Google Play Console : https://stackoverflow.com/a/71155071/13387867

Milan Maji
  • 363
  • 1
  • 5
  • 9