0

Google play console gives security alert - Vulnerable

Can anyone have idea why is it giving security alert

Here are the builld.gradle file the library which I’m using in app.

    compileSdkVersion 28
    defaultConfig {
        applicationId “************”
        minSdkVersion 16
        targetSdkVersion 28
        versionCode 126
        versionName "2.14.3"
        multiDexEnabled true
        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
//        resConfigs "en"    // Commented because need to support MultiLanguage
        ndk.abiFilters 'armeabi-v7a', 'arm64-v8a', 'x86', 'x86_64'
    }

    api 'androidx.legacy:legacy-support-v4:1.0.0-beta01'
    api 'androidx.appcompat:appcompat:1.0.0-beta01'
    api 'com.google.android.material:material:1.0.0-beta01'
    api 'androidx.cardview:cardview:1.0.0-beta01'
    api 'androidx.recyclerview:recyclerview:1.0.0-beta01'
    api 'com.google.android.gms:play-services-maps:17.0.0'
    api 'com.google.android.gms:play-services-places:17.0.0'
    api 'com.google.android.libraries.places:places:2.1.0'
    api 'com.google.android.gms:play-services-auth:17.0.0'
    api 'androidx.multidex:multidex:2.0.1'
    api 'com.google.firebase:firebase-core:17.2.1'
    api 'com.google.firebase:firebase-messaging:20.0.1'
    api 'com.google.firebase:firebase-auth:19.2.0'
    api 'com.google.firebase:firebase-config:19.0.3'
    api 'com.google.android.play:core:1.5.0'

Alert Play Console is showing

Vulnerable locations:

**.**.*********.****.SliderImage.YouTubeVideo->onActivityResult
**.**.*********.****.SliderImage.YouTubeVideo->onCreate
**.**.*********.****.LocationAndContactActivity->setupAutocompleteFragment
**.**.*********.****.LocateOnGoogleMapActivity->setupAutocompleteFragment
**.**.*********.****.MediaDetailsActivity$13$1$1->run
**.**.*********.****.MediaDetailsActivity$6->onClick
**.**.*********.****.MediaDetailsActivity->assignYoutubeThumbnail
**.**.*********.****.adapter.MediaAdapter$3->onClick
**.**.*********.****.adapter.MediaAdapter->onBindViewHolder
**.**.*********.****.CustomPages_Adapter$4->onClick
**.**.*********.****.CustomPages_Adapter->onBindViewHolder
**.**.*********.****.adapter.CustomPagesAdapter$4->onClick
**.**.*********.****.adapter.CustomPagesAdapter->onBindViewHolder
**.**.*********.****.ProductDetailsActivity$11->onClick
**.**.*********.****.ProductDetailsActivity$26$1$1->run
**.**.*********.****.ProductDetailsActivity->onCreate
**.**.*********.****.WebPostDetailActivity->setupAutocompleteFragment
**.**.*********.****.adapter.WebPostAdapter$4->onClick
**.**.*********.****.adapter.WebPostAdapter->onBindViewHolder
**.**.*********.****.FourthStageActivity->setupAutocompleteFragment
Avi Soni
  • 29
  • 4
  • Can you show the full warning you are getting? – MohanKumar Jan 02 '20 at 05:40
  • Google play will tell you exactly whats wrong with it! You should see a list of all the classes google deems as unsafe! – kriskotoo BG Jan 02 '20 at 05:54
  • @MohanKumar I have added the warning i am getting – Avi Soni Jan 02 '20 at 06:02
  • @kriskotooBG Still now it was working fine, After soo months it gives me the security alert, I have started facing this problem when i have migrate to androidx and upgraded the google library – Avi Soni Jan 02 '20 at 06:04
  • Are you using any services? like APIs or databses? if yes, you might have your API access keys exposed! check for any exposed keys in those classes! – kriskotoo BG Jan 02 '20 at 06:15
  • @kriskotooBG From where and how i will get to know whether API keys are exposed – Avi Soni Jan 02 '20 at 06:21
  • @kriskotooBG One Alert is for maps which i'am using in app and second one is for youtube thumbnail in which i'am not using any youtube api for that – Avi Soni Jan 02 '20 at 06:24
  • @AviSoni This link should help you: https://developer.android.com/google/play/asi :) – kriskotoo BG Jan 02 '20 at 06:35
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/205202/discussion-between-avi-soni-and-kriskotoo-bg). – Avi Soni Jan 02 '20 at 06:48

1 Answers1

0

This happens usually when your API keys are exposed which means you are using API keys directly into application code. so anyone can just extract your apk and get the API keys easily and exhaust your usage quotas.

FIX

There are several methods to hide your API keys. one of the best method is storing it in external server and retrieving it. You may also use other methods too from the link below,

  1. Methods with explanations
  2. Restricting API keys
  3. Encryption methods
MohanKumar
  • 960
  • 10
  • 26