[x] I confirm this is a suspected bug or issue that will affect other users
[x] I have reproduced the issue using the example project or provided the necessary information to reproduce the issue.
[x] I have read the documentation thoroughly and it does not help solve my issue.
[x] I have checked that no similar issues (open or closed) already exist.
Current behavior:
GOOGLE_API_KEY_FOR_ANDROID variable, which is set in the config.xml, is stored in the AndroidManifest.xml in cleartext making it possible for an attacker to access the Google API Key and use it unauthorized manner. That may lead to overbilling in pay-per-use scenarios.
The plugin requires the Google API Key to be set in the GOOGLE_API_KEY_FOR_ANDROID variable in config.xml and stores it in the AndroidManifest.xml in cleartext. Hence, this is an issue with the plugin.
Expected behavior:
The Google API key should be set in a variable that is not accessible to the attacker, that is, not in AndroidManifest.xml.
Steps to reproduce:
Follow the instructions to install the plugin in a Cordova app
Bug report
CHECKLIST
[x] I have read the issue reporting guidelines
[x] I confirm this is a suspected bug or issue that will affect other users
[x] I have reproduced the issue using the example project or provided the necessary information to reproduce the issue.
[x] I have read the documentation thoroughly and it does not help solve my issue.
[x] I have checked that no similar issues (open or closed) already exist.
Current behavior:
GOOGLE_API_KEY_FOR_ANDROID variable, which is set in the config.xml, is stored in the AndroidManifest.xml in cleartext making it possible for an attacker to access the Google API Key and use it unauthorized manner. That may lead to overbilling in pay-per-use scenarios.
The plugin requires the Google API Key to be set in the GOOGLE_API_KEY_FOR_ANDROID variable in config.xml and stores it in the AndroidManifest.xml in cleartext. Hence, this is an issue with the plugin.
Expected behavior:
The Google API key should be set in a variable that is not accessible to the attacker, that is, not in AndroidManifest.xml.
Steps to reproduce:
Google API Key is contained in that file
Screenshots
Environment information
Related code:
config.xml
AndroidManifest.xml