Google Geo location Api key exposed in Android Apk

Question

Google Warned Me that my google Api key exposed in Manifest file and in Java file. My Manifest file looks like :

<meta-data
            android:name="com.google.android.geo.API_KEY"
            android:value="AIza..................................03E"/>

In strings.xml file :

<string name="google_direction_api_key">AIza................................03E</string>

In Java:

+"&"+"key="+getResources().getString(R.string.google_direction_api_key);

so, My question is how to use this Api key in java and in xml file so that the key will not exposes? Is there any way?

Thanks.

Answer 1

You have to restrict that key to only work with the key fingerprints the app package had been signed with - with unrestricted API keys, these can be extracted and then used and charged against your credit card. If this API key is being referenced from resources or a static string does not matter the least, hence both can be extracted - only key restrictions can prevent unauthorized use.

@see API Key Best Practices.

Answer 2

You would be able to set it as a resource reference directly.

<meta-data
        android:name="com.google.android.geo.API_KEY"
        android:value="@string/google_direction_api_key"/>

Have you made sure to use an API key which is confide to to your application id and signature? Maybe the warning means that the key could be used from a different application as well. Try to create a new API key which is only valid for your application and see if the warning persists.