Android Question Exposing API Key when using Geocoding API

Derek Johnson

Active Member
Licensed User
Longtime User
My app uses the Google Geocoding API to get an address from a Lat/Long.

This is the sort of thing that it uses:

B4X:
    Dim j As HttpJob
    j.Initialize("GetAddress", Me)
    j.Download2("https://maps.googleapis.com/maps/api/geocode/json", Array As String( _
"latlng", lat & "," & lon, _
"result_type","street_address|locality", _
    "key",API_key))

NB The number of requests made by App is fairly low and not above the free amount allowed, so I don't have a payment account set up.

I've recently spotted this warning in the Google Dev Console:

Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.

Apparently if I were to use a Service Account this problem would be reduced.

Has anyone else managed to solve this issue?
 

DonManfred

Expert
Licensed User
Longtime User
Upvote 0

Derek Johnson

Active Member
Licensed User
Longtime User
Setup billing for your account. Create a token, restrict the token to your app.

I don't think that restricting the token to my app will work as this is using the Web Service to do the work, and the web service request could come from anywhere.

I think that I will have to use the Geocoding Library to solve this. Incidentally this warning first appeared on 13 Jun 2019, just after Google tightened up on Geocoding requests.)
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
I know that restricting the key to your app IS the solution. Once you restrict it google will know.

NO ONE else can use the key in his app even if he extract it from my app using reverse engineering.

Using a Server key is not possible in android. The key must be used on a SERVER. In a B4J App for example.

Note that everyone with a bit knowledge is able to extract the key from your app. Having a serverkey bound in your app open the door wide open for any hacker.
 
Last edited:
Upvote 0
Top