Android Question Exposing API Key when using Geocoding API

Derek Johnson

Derek Johnson

Active Member
Licensed User
Longtime User
My app uses the Google Geocoding API to get an address from a Lat/Long.

This is the sort of thing that it uses:

B4X: 
    Dim j As HttpJob
    j.Initialize("GetAddress", Me)
    j.Download2("https://maps.googleapis.com/maps/api/geocode/json", Array As String( _
"latlng", lat & "," & lon, _
"result_type","street_address|locality", _
    "key",API_key))

NB The number of requests made by App is fairly low and not above the free amount allowed, so I don't have a payment account set up.

I've recently spotted this warning in the Google Dev Console:

Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
Click to expand...

Apparently if I were to use a Service Account this problem would be reduced.

Has anyone else managed to solve this issue?
 
Sort by date Sort by votes
DonManfred

DonManfred

Expert
Licensed User
Longtime User
Upvote 0
Derek Johnson

Derek Johnson

Active Member
Licensed User
Longtime User
DonManfred said:
Setup billing for your account. Create a token, restrict the token to your app.
Click to expand...

I don't think that restricting the token to my app will work as this is using the Web Service to do the work, and the web service request could come from anywhere.

I think that I will have to use the Geocoding Library to solve this. Incidentally this warning first appeared on 13 Jun 2019, just after Google tightened up on Geocoding requests.)
 
Upvote 0
DonManfred

DonManfred

Expert
Licensed User
Longtime User
I know that restricting the key to your app IS the solution. Once you restrict it google will know.

NO ONE else can use the key in his app even if he extract it from my app using reverse engineering.

Using a Server key is not possible in android. The key must be used on a SERVER. In a B4J App for example.

Note that everyone with a bit knowledge is able to extract the key from your app. Having a serverkey bound in your app open the door wide open for any hacker.
 
Last edited:
Upvote 0
You must log in or register to reply here.

Similar Threads

walterf25
  • Question
Android Question API_KEY obfuscation
Replies
5
Views
594
Erel
Erel
aeric
  • Article
Share My Creation (PHP/MySQL/API) User Login App
4 5 6
Replies
108
Views
48K
aeric
aeric
asales
  • Question
Android Question Remediation for Exposed GCP API keys
Replies
9
Views
4K
mmieher
mmieher
Alexander Stolte
  • Question
Android Question [B4X] Google Geocoding REST API Get only City Name [Solved]
Replies
4
Views
5K
Alexander Stolte
Alexander Stolte
Erel
  • Article
Android Code Snippet [B4X] Google Geocoding REST API
2
Replies
32
Views
24K
aeric
aeric
Top