Search code examples
androidgoogle-mapsgoogle-places

How to secure google API keys

I have been doing some security testing on an Android app. One thing I am trying to wrap my head around is API key security; particularly google Places and Maps keys. There are lots of posts that talk about the options, namely compiling keys into source, placing them in resource files, compiling them into a shared library, etc. In my particular case, the Maps key is in the manifest file, and the Places key is in a shared library. I created a signed APK to test how hard it would be to obtain and use one of the keys. I did the following:

  • Reverse engineered the APK using apktool,
  • Opened the manifest and grabbed the Maps key,
  • Created a fake version of the application with the same package structure as the original containing an activity with a google map fragment,
  • Put the Maps key in the fake manifest,
  • Ran the application, which displayed the map

Then I:

  • Created a new class in the fake app with the same package and name as the original with code to load the shared library from /data/data/[package name],
  • Copied the the shared library from the reverse engineered APK to the /data/data/[package name] folder of the fake app,
  • Ran the fake app, which then printed out the Locations API key

So in the end, without much effort, I had both keys which I could then use in a fake version of the application.

I'm sure I must be missing something. It looks like the only option for Maps is to store the key in the manifest. What is stopping someone from doing what I did? Surely it can't just be indifference. I realize that someone would probably get caught if they tried to publish their app using a hijacked API key. However, someone could create an app and have people side load it. It would be a huge disruption for customers if the company had to change a hijacked key every time someone messed with it.

Solution

  • I believe you need to go through the Docs for Google API keys again. There seem to have something called restrictions that should be able to help with you ensuring that your Keys are protected and not used on some other application.

    I believe that restrictions prevent a request from other domains you have not included from not being able to render.

    API Key best practices