0

I got an email from Google that says:

We have detected a publicly accessible Google API key associated with the following Google Cloud Platform project

and they point at the api key inside my google-services.json file and at a url of someone hosting my apk.

The google-services.json file is just what I got when following the Firebase instructions and put it where it said to put it. So did I do something wrong?

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
casolorz
  • 8,486
  • 19
  • 93
  • 200
  • No you are not supposed to edit it, you have to [restrict](https://cloud.google.com/docs/authentication/api-keys#api_key_restrictions) it – Nongthonbam Tonthoi Aug 06 '19 at 16:25
  • Thank you, I have now restricted it to my Android app and iOS app. I will have to analyze it a bit more before restricting APIs. I'm surprised they weren't restricted to start with considering they asked for SHA1 of the apk already. If you want to make an answer about this then I will mark it as answered. – casolorz Aug 06 '19 at 17:17

1 Answers1

1

No you are not supposed to edit it, you have to restrict it.

Note that if you are using Android Studio, you can get the signing report see this accepted answer here.

Nongthonbam Tonthoi
  • 12,667
  • 7
  • 37
  • 64