Embedded Google OAuth Refresh Token

This information is intended for developers of apps that have embedded the Google OAuth refresh token of a hardcoded user in their app.

A hardcoded refresh token can be extracted from your application and exchanged for an access token by anyone analyzing your application,  which may impact the security of your app(s). Furthermore, if the token is revoked, it may interfere with proper functioning of the app.

We recommend that if you are using the account to store user’s data, or access Google resources in an authenticated fashion, consider using GoogleApiClient or GoogleCredential

Steps to fix:

  1. Update your app to not embed the refresh token in-app.
  2. Sign in to your Developer Console and submit the updated version of your app. 
  3. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly.

For other technical questions, you can post to Stack Overflow and use the tag “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.

Note that apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.

Was this helpful?
How can we improve it?