I have a open source android app. In order to use for example the new Awareness API I need to have an api key that my application will be using.
That one is generated by providing the package name and the SHA-1 of the certificate.
The place where it's stored is the Manifest.xml which of course is version controlled.
Is this safe? Since my project is opensource anybody will be able to see this key, but can he actually use it? Why?
P.S. The instruction for the above can be found here
Instead of Version Controlling it, I would instead put it in a separate XML File, and put it in the .gitignore. You can reference the XML File in the String Resources file, and instead of using the hard coded API Key, use the String Resource that corresponds to the API Key, like @string/API_KEY. That is a much safer way to do this. This way, you are not opening your key up to public access, and the application still has the corresponding data it needs.