Remediation for Exposed GCP API keys

This information is intended for developers with app(s) that contain exposed Google Cloud Platform (GCP) API key(s). Locations of exposed GCP API keys in your app can be found in the Play Console notification for your app.

Additional Details

If you embed GCP API keys in your applications, those keys will become publicly available. This exposure of your API keys could lead to unexpected charges and quota changes in your app’s account. We recommend fixing this issue in your app using one of the following ways:

  1. If possible, use GCP service accounts in lieu of GCP API keys for authenticating your app. A GCP service account is a Google account associated with your GCP project. More details on creating and using service accounts can be found here.
  2. Add restrictions to your API key so that only your apps are allowed to use the API key. More details on adding restrictions to API keys can be found here. (Please Note: If you have already added restrictions to your API key, you can ignore this warning.)

Please review the GCP best practices for securely using API keys.

Next steps

  1. Update your app using the steps highlighted above.
  2. Sign in to your Play Console and submit the updated version of your app.

Your app will be reviewed again; if the app has not been updated correctly, you will still see the warning. This process can take several hours.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”

Was this helpful?
How can we improve it?