Android Question Remediation for Exposed GCP API keys

asales

Well-Known Member
Licensed User
Longtime User
I get an alert in Google Console to one of my apps.

Security Alert
The app has open Google Cloud Platform (GCP) API keys. See this Google Help Center article for more details.
Vulnerable locations:


( Alerta de segurança
O app tem chaves expostas de API do Google Cloud Platform (GCP). Leia este artigo da Central de Ajuda do Google para saber mais detalhes.
Locais vulneráveis:
)

br.com.myprofiles.main->_globals
br.com.myprofiles.main->_vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv4

The article mentioned is this:
https://support.google.com/faqs/answer/9287711

All my apps have this lines in the Process_Globals. Only now I get this alert.
B4X:
Sub Process_Globals
   Dim billman3 As BillingManager3   
   Dim Const chv As String = "MIIBI...AB"
End Sub

I don't changed nothing in this line since the app was release some years ago and now I get this alert.
What can be the problem and how I can fix it.

Thanks in advance for any tips.
 

DonManfred

Expert
Licensed User
Longtime User
The interesting part is:

Add restrictions to your API key so that only your apps are allowed to use the API key. More details on adding restrictions to API keys can be found here.

Solution: Add a restriction to your Key. For ex. add your packagename and signhash: only your app can use the key then.
 
Upvote 0

mmieher

Active Member
Licensed User
Longtime User
The interesting part is:

Add restrictions to your API key so that only your apps are allowed to use the API key. More details on adding restrictions to API keys can be found here.

Solution: Add a restriction to your Key. For ex. add your packagename and signhash: only your app can use the key then.
Great suggestion, Don. How do you do that? Have read that article ten times and I still do not know what to do?
 
Upvote 0

mmieher

Active Member
Licensed User
Longtime User
It there where you define the Api Accesstoken.
You can limit the key. And you have to.
You need to choose Android and give your packagename and also your SHA Hash to limit the key only use in this app.
Thank you. I did that. Either I messed up or I need to do something in B4a. I get a "REQUEST_DENIED" on this in Starter.
B4X:
    Dim url As String = "https://maps.googleapis.com/maps/api/timezone/json?location=" & loc & "&timestamp=" & ( DateTime.now/1000) & "&key=" & B4XPages.MainPage.API_KEY
 
Upvote 0

mmieher

Active Member
Licensed User
Longtime User
I had to pic two GeoCode things. There was nothing about "Maps" in the list I was presented. I have Maps API enabled cuz all this worked before I got the Publishing error and started f'ing with the Cloud.
 
Upvote 0

mmieher

Active Member
Licensed User
Longtime User
I just discovered this. Good grief. I still am going to solve the API thing.
B4X:
Dim goodGrief as Long = DateTime.GetTimeZoneOffsetAt(DateTime.Now)
 
Upvote 0
Top