1

The Google API key to access Google Maps API is stored in my React-Native mobile app manifest. I have followed the recommendations and restricted use of it to the package of my app and to the Maps API on GCP.

Can a malicious user decompile my app, extract the key and the package name and still use it?

Schultz9999
  • 8,717
  • 8
  • 48
  • 87
  • My understanding is that there is no way to completely hide this API Key and that the only protection is restricting key usage like you did. Since your package has a unique id there would be no way for an attacker to use that key. Did you end up using another technique @Schultz9999? – Perennialista Jan 09 '22 at 00:58

2 Answers2

0

If you're using the Android app restriction feature, then your Google API key is safe, and can't be stolen.

There are two types of API key restrictions: API restrictions and application restrictions. Application restrictions limit usage of the API key to a specific web site, web server, or application. Google Maps Platform supports four types of application restrictions:

  • ...
  • Android app restriction: restricts usage to calls from an Android app with a specified package name.

taken from GCP Google Maps best practices.

Ben Butterworth
  • 22,056
  • 10
  • 114
  • 167
  • Right. That's in theory. My concern is hacking the key out from the APK together with the app package name and then use these two pieces of info to call the Google API. – Schultz9999 Apr 22 '20 at 19:28
0

As long as the API key lives in your code, the application's APK can always be decompiled and decrypted to get the API key.

The only solution that will guarantee that keys are not exposed is simple - Don't put them in the project in the first place. I usually create a local.properties file which contains my keystore path, my passwords and API keys as key value pairs. Then I exclude from my VCS, and simply open up a FileStream and read those key-value objects.

You can't leak your API keys that way.

Karan Dhillon
  • 1,186
  • 1
  • 6
  • 14