Android Question How safe is my API keys?

Michael2150

Member
Licensed User
So I followed the instructions in this post here and integrated google maps into my application. In that tutorial it says you should put your API key in the manifest editor like this.

B4X:
AddApplicationText(
<meta-data
  android:name="com.google.android.geo.API_KEY"
  android:value="xxxxxxxxxxxxxx"/>
)
But now my question is, how safe is that really? I can take the APK and drop it into Android Studio and then go through the AndroidManifest.xml file to easily find the key just there in the open. I was wondering why the key had to be in the manifest in the first place and what is good practices if I want to safely use other keys throughout my application?
 

Alex_197

Active Member
Licensed User
So I followed the instructions in this post here and integrated google maps into my application. In that tutorial it says you should put your API key in the manifest editor like this.

B4X:
AddApplicationText(
<meta-data
  android:name="com.google.android.geo.API_KEY"
  android:value="xxxxxxxxxxxxxx"/>
)
But now my question is, how safe is that really? I can take the APK and drop it into Android Studio and then go through the AndroidManifest.xml file to easily find the key just there in the open. I was wondering why the key had to be in the manifest in the first place and what is good practices if I want to safely use other keys throughout my application?
If you worry about your keys - try the intent (you don't keys in this case)
Google Map:
private Sub ShowMap
    
    Try
        
        Dim Intent1 As Intent
        Dim urlMap As String="https://www.google.com/maps/search/"
        Dim su As StringUtils
        Dim Address As String
            
        Address=Main.SelectedClientAddress
        Address=Address.Replace(CRLF," ")       
        Address=su.EncodeUrl(Address,"UTF-8")           
        urlMap=urlMap & Address
                
        Intent1.Initialize(Intent1.ACTION_VIEW,urlMap)
        Intent1.SetComponent("googlemaps")
        StartActivity(Intent1)
    Catch
        Log("ShowMap " & LastException)
        modFun.ShowError("ShowMap " & LastException)
    End Try
    
End Sub
 

Michael2150

Member
Licensed User
If you worry about your keys - try the intent (you don't keys in this case)
Google Map:
private Sub ShowMap
   
    Try
       
        Dim Intent1 As Intent
        Dim urlMap As String="https://www.google.com/maps/search/"
        Dim su As StringUtils
        Dim Address As String
           
        Address=Main.SelectedClientAddress
        Address=Address.Replace(CRLF," ")      
        Address=su.EncodeUrl(Address,"UTF-8")          
        urlMap=urlMap & Address
               
        Intent1.Initialize(Intent1.ACTION_VIEW,urlMap)
        Intent1.SetComponent("googlemaps")
        StartActivity(Intent1)
    Catch
        Log("ShowMap " & LastException)
        modFun.ShowError("ShowMap " & LastException)
    End Try
   
End Sub
Thanks for the suggestion, but I don't really mind using it like that, because the maps SDK is free anyway, but I would like to hear more about saving and using other keys in a safer way for more important things.
 

Syd Wright

Well-Known Member
Licensed User
You could add some protection by first encrypting your API key in a separate app, like so:
Encrypt API key:
    Dim raf As RandomAccessFile            'Save Encrypted!
    Dim MyAPIkey as string
    MyAPIkey = "xxxxxxxxxxxxxxxxxxxxxxx"
    raf.Initialize(File.DirRootExternal, "MyKey.txt", False)    'or use a less obvious file name, or even make believe that it is a jpg or mp3 file (eg: "welcome.jpg" or "pling1.mp3")
    raf.WriteEncryptedObject(MyAPIkey, "This is my own encryption key",0)   'Change: "This is my own encryption key" to a random collection of letters, digits and symbold, at least a couple of dozen of them!
    raf.Close
Then manually copy MyKey.txt to your project (under Files) and then decrypt it in your app with:
Decrypt API key:
      Dim raf As RandomAccessFile
      Dim MyAPIkey as string
      raf.Initialize(File.DirAssets, "MyKey.txt", False)
      MyAPIkey = raf.ReadEncryptedObject("This is my own encryption key", 0)
      raf.Close
Then use MyAPIkey where needed in your code.
You could even store the "This is my own encryption key" in a file on your website and download it and insert it in the raf.ReadEncryption line.
 
Last edited:

Syd Wright

Well-Known Member
Licensed User
That is an interesting solution I was also thinking about, and I will definitely keep it in mind when using some other more important keys with payments on them in the future.
In stead of using "MyKey.txt" it is better to use a less obvious file name, or even make believe that it is a jpg or mp3 file (eg: "welcome.jpg" or "pling1.mp3")
Another trick is to simply use an everyday text as the "My own encryption key" like "Please click on the '?' button to read the help file". Hackers will probably not immediately suspect that this is actually your encryption/decryption key.
In the past I used to hide keys in large existing bmp imagefiles. When viewing these images they would appear as normal pictures. Nobody woulds notice the couple of dozen modified pixels spread all over the picture.
 
Last edited:

DonManfred

Expert
Licensed User
That is an interesting solution I was also thinking about, and I will definitely keep it in mind when using some other more important keys with payments on them in the future.
Trying to encrypt the key does not make much sense.

The suggested method is to restrict you Apikey.

Once you restrict it to your apps Packagename no one can use it inside his App even if he reverseengineer your app to reveal the Key.
 

Alexander Stolte

Expert
Licensed User
or even make believe that it is a jpg or mp3 file (eg: "welcome.jpg" or "pling1.mp3")
Put the API-Key in a image file.
 

Michael2150

Member
Licensed User
I agree with @DonManfred for something like the GoogleMaps key that is a free service the easiest solution is just to restrict it. But I do find it interesting to see all these other cool solutions to the problem.
 

DonManfred

Expert
Licensed User
But I do find it interesting to see all these other cool solutions to the problem.
they are good for other Issues.

But they are just unneeded work. You just make your life complicated than it should be trying to encrypt a GoogleApiKey to hide it from any Hacker.
 

Syd Wright

Well-Known Member
Licensed User
Trying to encrypt the key does not make much sense.
Kindly explain that. Michael2150 wants to hide his APIkey such that others can't use it, which is very understandable. If hackers use or even abuse his key, it is Micheal who has the problem because he can no longer use Google's related service and most likely also will have a hard time to get a new key from Google because his reputation has been damaged.
 

DonManfred

Expert
Licensed User
Michael2150 wants to hide his APIkey such that others can't use it, which is very understandable.
Sure. The - simple - Solution is to go into the Google Cloud console and restrict the Key to his Apps packagename.

No need to hide anything as no one is able to use this key. Except Michael.
 
Top