I am trying to get some clarity on how I am supposed to store in my mobile app Google API Keys used to Sign In with Google and access the Google Maps API. I am not talking about any API key, I am talking specifically about these two.
I am building my app with Expo and I do provide the API keys in the app.config.js file as per instructions. Something like:
config.android = {
...config.android,
package: 'com.example.app',
config: {
googleSignIn: {
apiKey: process.env.GOOGLE_SIGN_IN_API_KEY,
certificateHash: process.env.GOOGLE_CERTIFICATE_HASH,
},
googleMaps: {
apiKey: GOOGLE_MAPS_API_KEY,
},
},
}
I am assuming these two keys will eventually end up in the manifest file and can therefore be extracted from the app with some reverse engineering. Is this safe?
The Google Sign In API Key is used by the mobile app to oAuth with Google while the Google Maps API key is used by a map. From the Google developer console, I have restricted usage for both keys to my app by providing the package id (com.example.app) as well as the fingerprint of the SHA1 certificate used to sign the app.
It is my understanding that no other app or entity would be able to use these keys, am I wrong? Is there still some risk if they get compromised? If there is, what am I supposed to do instead? I want user of my app to authenticate with Google directly so I do have to somehow embed the API key in the app.
Similar questions have been asked on SO here, here, here and here but the answers are all over the place: it is fine or you are making a huge mistake that will put the safety of your application at risk. Some clarity would be much appreciated.
Some documentation from Google on how to embed the Google Maps Api key in an app. They seem to imply that one has to somehow "protect" the API key.
