Android Question How safe is my API keys?

Michael2150

Member
Licensed User
So I followed the instructions in this post here and integrated google maps into my application. In that tutorial it says you should put your API key in the manifest editor like this.

B4X:
AddApplicationText(
<meta-data
  android:name="com.google.android.geo.API_KEY"
  android:value="xxxxxxxxxxxxxx"/>
)

But now my question is, how safe is that really? I can take the APK and drop it into Android Studio and then go through the AndroidManifest.xml file to easily find the key just there in the open. I was wondering why the key had to be in the manifest in the first place and what is good practices if I want to safely use other keys throughout my application?
 

Alex_197

Well-Known Member
Licensed User
Longtime User
So I followed the instructions in this post here and integrated google maps into my application. In that tutorial it says you should put your API key in the manifest editor like this.

B4X:
AddApplicationText(
<meta-data
  android:name="com.google.android.geo.API_KEY"
  android:value="xxxxxxxxxxxxxx"/>
)

But now my question is, how safe is that really? I can take the APK and drop it into Android Studio and then go through the AndroidManifest.xml file to easily find the key just there in the open. I was wondering why the key had to be in the manifest in the first place and what is good practices if I want to safely use other keys throughout my application?

If you worry about your keys - try the intent (you don't keys in this case)
Google Map:
private Sub ShowMap
    
    Try
        
        Dim Intent1 As Intent
        Dim urlMap As String="https://www.google.com/maps/search/"
        Dim su As StringUtils
        Dim Address As String
            
        Address=Main.SelectedClientAddress
        Address=Address.Replace(CRLF," ")       
        Address=su.EncodeUrl(Address,"UTF-8")           
        urlMap=urlMap & Address
                
        Intent1.Initialize(Intent1.ACTION_VIEW,urlMap)
        Intent1.SetComponent("googlemaps")
        StartActivity(Intent1)
    Catch
        Log("ShowMap " & LastException)
        modFun.ShowError("ShowMap " & LastException)
    End Try
    
End Sub
 
Upvote 0

Michael2150

Member
Licensed User
If you worry about your keys - try the intent (you don't keys in this case)
Google Map:
private Sub ShowMap
   
    Try
       
        Dim Intent1 As Intent
        Dim urlMap As String="https://www.google.com/maps/search/"
        Dim su As StringUtils
        Dim Address As String
           
        Address=Main.SelectedClientAddress
        Address=Address.Replace(CRLF," ")      
        Address=su.EncodeUrl(Address,"UTF-8")          
        urlMap=urlMap & Address
               
        Intent1.Initialize(Intent1.ACTION_VIEW,urlMap)
        Intent1.SetComponent("googlemaps")
        StartActivity(Intent1)
    Catch
        Log("ShowMap " & LastException)
        modFun.ShowError("ShowMap " & LastException)
    End Try
   
End Sub

Thanks for the suggestion, but I don't really mind using it like that, because the maps SDK is free anyway, but I would like to hear more about saving and using other keys in a safer way for more important things.
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
You can restrict the usage of your Key in the Google Cloud Console.
- Restrict it to your Apps Packagename
- Restrict it to use only the Api x
 
Upvote 0

Alexander Stolte

Expert
Licensed User
Longtime User
I asked myself the same thing the other day, with Firebase Auth, the confirmation email contains the api key. The people at stackoverflow said that as soon as you publish an app, you make your API keys available. You should restrict the API key as @DonManfred described.
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
That is an interesting solution I was also thinking about, and I will definitely keep it in mind when using some other more important keys with payments on them in the future.
Trying to encrypt the key does not make much sense.

The suggested method is to restrict you Apikey.

Once you restrict it to your apps Packagename no one can use it inside his App even if he reverseengineer your app to reveal the Key.
 
Upvote 0

Alexander Stolte

Expert
Licensed User
Longtime User
or even make believe that it is a jpg or mp3 file (eg: "welcome.jpg" or "pling1.mp3")
Put the API-Key in a image file.
 
Upvote 0

Michael2150

Member
Licensed User
I agree with @DonManfred for something like the GoogleMaps key that is a free service the easiest solution is just to restrict it. But I do find it interesting to see all these other cool solutions to the problem.
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
But I do find it interesting to see all these other cool solutions to the problem.
they are good for other Issues.

But they are just unneeded work. You just make your life complicated than it should be trying to encrypt a GoogleApiKey to hide it from any Hacker.
 
Upvote 0

DonManfred

Expert
Licensed User
Longtime User
Michael2150 wants to hide his APIkey such that others can't use it, which is very understandable.
Sure. The - simple - Solution is to go into the Google Cloud console and restrict the Key to his Apps packagename.

No need to hide anything as no one is able to use this key. Except Michael.
 
Upvote 0
Top