1

Google Warned Me that my google Api key exposed in Manifest file and in Java file. My Manifest file looks like : 

<meta-data
            android:name="com.google.android.geo.API_KEY"
            android:value="AIza..................................03E"/>

In strings.xml file : 

<string name="google_direction_api_key">AIza................................03E</string>

In Java: 

+"&"+"key="+getResources().getString(R.string.google_direction_api_key);

so, My question is how to use this Api key in java and in xml file so that the key will not exposes? Is there any way?

Thanks.

Noor Hossain
  • 603
  • 8
  • 18
  • 1
    This might help: https://stackoverflow.com/questions/14570989/best-practice-for-storing-and-protecting-private-api-keys-in-applications and https://developers.google.com/maps/api-key-best-practices Please check. – Avilash Sep 29 '19 at 16:03
  • @Avilash, How to use in Manifest ? – Noor Hossain Sep 29 '19 at 16:08

2 Answers2

1

You have to restrict that key to only work with the key fingerprints the app package had been signed with - with unrestricted API keys, these can be extracted and then used and charged against your credit card. If this API key is being referenced from resources or a static string does not matter the least, hence both can be extracted - only key restrictions can prevent unauthorized use.

@see API Key Best Practices.

Martin Zeitler
  • 49,224
  • 12
  • 97
  • 156
  • In this way, I have faced another problem when I restrict browser key for direction, it wont work, what can I do ? @Martin Zeitler ? any suggestion ? – Noor Hossain Oct 05 '19 at 12:59
  • @NoorHossain what do you mean by "browser key"? Android keys are not web keys, which only can be restricted by IP address. So you could only access the API through a web-server, when requesting from a web-view (which has dynamic IP). Best is even to request server-side, so that the key won't be exposed at all. – Martin Zeitler Oct 05 '19 at 16:02
0

You would be able to set it as a resource reference directly.

<meta-data
        android:name="com.google.android.geo.API_KEY"
        android:value="@string/google_direction_api_key"/>

Have you made sure to use an API key which is confide to to your application id and signature? Maybe the warning means that the key could be used from a different application as well. Try to create a new API key which is only valid for your application and see if the warning persists.

tynn
  • 33,607
  • 8
  • 80
  • 121
  • But it can exposed in string reference. See in my question in java part. I used string reference but google said that : it can be exposed. – Noor Hossain Oct 05 '19 at 12:55