dpa99c / phonegap-launch-navigator

Phonegap/Cordova plugin which launches native route navigation apps for Android, iOS and Windows
369 stars 131 forks source link

GOOGLE_API_KEY_FOR_ANDROID variable may lead to unauthorized access to google api key #249

Closed PDLMobileApps closed 4 years ago

PDLMobileApps commented 4 years ago

Bug report

CHECKLIST

Current behavior:

GOOGLE_API_KEY_FOR_ANDROID variable, which is set in the config.xml, is stored in the AndroidManifest.xml in cleartext making it possible for an attacker to access the Google API Key and use it unauthorized manner. That may lead to overbilling in pay-per-use scenarios.

The plugin requires the Google API Key to be set in the GOOGLE_API_KEY_FOR_ANDROID variable in config.xml and stores it in the AndroidManifest.xml in cleartext. Hence, this is an issue with the plugin.

Expected behavior:

The Google API key should be set in a variable that is not accessible to the attacker, that is, not in AndroidManifest.xml.

Steps to reproduce:

  1. Follow the instructions to install the plugin in a Cordova app
  2. Build the app for android
  3. Decompile the app (http://www.javadecompilers.com/apk) and open the AndroidManifest.xml

Google API Key is contained in that file

Screenshots

Environment information

Related code:

config.xml

    <plugin name="uk.co.workingedge.phonegap.plugin.launchnavigator" spec="5.0.4">
        <variable name="GOOGLE_API_KEY_FOR_ANDROID" value="my_google_key" />
        <variable name="OKHTTP_VERSION" value="3.+" />
    </plugin> 

AndroidManifest.xml

<?xml version='1.0' encoding='utf-8'?>
<manifest android:hardwareAccelerated="true" android:versionCode="100899" android:versionName="9.99.999" package="com.foodlion.mobile" xmlns:android="http://schemas.android.com/apk/res/android">
    <application android:allowBackup="false" android:extractNativeLibs="true" android:hardwareAccelerated="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:supportsRtl="true" android:usesCleartextTraffic="true" tools:replace="android:allowBackup" xmlns:tools="http://schemas.android.com/tools">
        ...
       <activity android:name="com.worklight.wlclient.ui.UIActivity" />
        <meta-data android:name="launchnavigator.GOOGLE_API_KEY" android:value="my_google_key" />