We use react-native maps in our react native app. Our PenTesting team asked to remove Google map api key form AndroidManifest.xml file after they extract the apk from jadx - https://github.com/skylot/jadx tool, because they can see our map api key after extract the apk form that tool. We looked into removing the maps API key from the source code and the package that we use to integrate google maps require the key to be located in AndroidManifest.xml.
We tried storing the key in gradle.properties file and pass it to manifest file via a variable as mentioned by Google however when the app is getting built, the key is getting added back into the manifest file.
Do you have a way that you suggest to keep the key out of the source code when it's required to be within manifest file for the maps features to work? We Have already restrict our Google map api key in Google Cloud Console.
Create a new file keys.xml in the directory:
../android/app/src/main/res/values/keys.xml
Keys.xml:
<?xml version="1.0" encoding="utf-8"?>
<resources>
<string name="google_maps_api_key">PASTE_GOOGLE_MAP_API_KEY_HERE</string>
</resources>
Replace PASTE_GOOGLE_MAPS_API_KEY_HERE with your actual Google Maps API key.
Now, use this key in the AndroidManifest.xml:
<application ...>
...
<meta-data
android:name="com.google.android.geo.API_KEY"
android:value="@string/google_maps_api_key"/>
...
</application>
By adopting this approach, you ensure that your sensitive API key remains separated from your source code and enhances security.
Make sure to add keys.xml in git-ignore file to keep API key saperate.