Android Question How safe is my API keys?

[Michael2150]

So I followed the instructions in this post here and integrated google maps into my application. In that tutorial it says you should put your API key in the manifest editor like this.

AddApplicationText(
<meta-data
  android:name="com.google.android.geo.API_KEY"
  android:value="xxxxxxxxxxxxxx"/>
)

But now my question is, how safe is that really? I can take the APK and drop it into Android Studio and then go through the AndroidManifest.xml file to easily find the key just there in the open. I was wondering why the key had to be in the manifest in the first place and what is good practices if I want to safely use other keys throughout my application?

 

[Alex_197]

So I followed the instructions in this post here and integrated google maps into my application. In that tutorial it says you should put your API key in the manifest editor like this.

AddApplicationText(
<meta-data
  android:name="com.google.android.geo.API_KEY"
  android:value="xxxxxxxxxxxxxx"/>
)

But now my question is, how safe is that really? I can take the APK and drop it into Android Studio and then go through the AndroidManifest.xml file to easily find the key just there in the open. I was wondering why the key had to be in the manifest in the first place and what is good practices if I want to safely use other keys throughout my application?

If you worry about your keys - try the intent (you don't keys in this case)

private Sub ShowMap
    
    Try
        
        Dim Intent1 As Intent
        Dim urlMap As String="https://www.google.com/maps/search/"
        Dim su As StringUtils
        Dim Address As String
            
        Address=Main.SelectedClientAddress
        Address=Address.Replace(CRLF," ")       
        Address=su.EncodeUrl(Address,"UTF-8")           
        urlMap=urlMap & Address
                
        Intent1.Initialize(Intent1.ACTION_VIEW,urlMap)
        Intent1.SetComponent("googlemaps")
        StartActivity(Intent1)
    Catch
        Log("ShowMap " & LastException)
        modFun.ShowError("ShowMap " & LastException)
    End Try
    
End Sub

 

[Michael2150]

If you worry about your keys - try the intent (you don't keys in this case)

private Sub ShowMap
   
    Try
       
        Dim Intent1 As Intent
        Dim urlMap As String="https://www.google.com/maps/search/"
        Dim su As StringUtils
        Dim Address As String
           
        Address=Main.SelectedClientAddress
        Address=Address.Replace(CRLF," ")      
        Address=su.EncodeUrl(Address,"UTF-8")          
        urlMap=urlMap & Address
               
        Intent1.Initialize(Intent1.ACTION_VIEW,urlMap)
        Intent1.SetComponent("googlemaps")
        StartActivity(Intent1)
    Catch
        Log("ShowMap " & LastException)
        modFun.ShowError("ShowMap " & LastException)
    End Try
   
End Sub

Thanks for the suggestion, but I don't really mind using it like that, because the maps SDK is free anyway, but I would like to hear more about saving and using other keys in a safer way for more important things.

 

[DonManfred]

You can restrict the usage of your Key in the Google Cloud Console.
- Restrict it to your Apps Packagename
- Restrict it to use only the Api x

 

[Alexander Stolte]

I asked myself the same thing the other day, with Firebase Auth, the confirmation email contains the api key. The people at stackoverflow said that as soon as you publish an app, you make your API keys available. You should restrict the API key as @DonManfred described.

 

[Michael2150]

I guess that would be the best solution. Thanks for everyone's suggestions

 

[Michael2150]

by first encrypting your API

That is an interesting solution I was also thinking about, and I will definitely keep it in mind when using some other more important keys with payments on them in the future.

 

[DonManfred]

That is an interesting solution I was also thinking about, and I will definitely keep it in mind when using some other more important keys with payments on them in the future.

Trying to encrypt the key does not make much sense.

The suggested method is to restrict you Apikey.

Once you restrict it to your apps Packagename no one can use it inside his App even if he reverseengineer your app to reveal the Key.

 

[Alexander Stolte]

or even make believe that it is a jpg or mp3 file (eg: "welcome.jpg" or "pling1.mp3")

Protect your application against copy and changes

This method uses the F5Steg and PackageUtils libraries from ProBundle. There's a demo available in the Play Store: https://play.google.com/store/apps/details?id=b4a.protecthw.flm The source code is attached to this message and is used as a reference in the following explanations. It will not...

www.b4x.com

Put the API-Key in a image file.

 

[Michael2150]

I agree with @DonManfred for something like the GoogleMaps key that is a free service the easiest solution is just to restrict it. But I do find it interesting to see all these other cool solutions to the problem.

 

[DonManfred]

But I do find it interesting to see all these other cool solutions to the problem.

they are good for other Issues.

But they are just unneeded work. You just make your life complicated than it should be trying to encrypt a GoogleApiKey to hide it from any Hacker.

 

[DonManfred]

Michael2150 wants to hide his APIkey such that others can't use it, which is very understandable.

Sure. The - simple - Solution is to go into the Google Cloud console and restrict the Key to his Apps packagename.

No need to hide anything as no one is able to use this key. Except Michael.