GOOGLE_API_KEY_FOR_ANDROID variable may lead to unauthorized access to google api key

[PDLMobileApps]

Bug report

CHECKLIST

• [x] I have read the issue reporting guidelines

• [x] I confirm this is a suspected bug or issue that will affect other users

• [x] I have reproduced the issue using the example project or provided the necessary information to reproduce the issue.

• [x] I have read the documentation thoroughly and it does not help solve my issue.

• [x] I have checked that no similar issues (open or closed) already exist.

Current behavior:

GOOGLE_API_KEY_FOR_ANDROID variable, which is set in the config.xml, is stored in the AndroidManifest.xml in cleartext making it possible for an attacker to access the Google API Key and use it unauthorized manner. That may lead to overbilling in pay-per-use scenarios.

The plugin requires the Google API Key to be set in the GOOGLE_API_KEY_FOR_ANDROID variable in config.xml and stores it in the AndroidManifest.xml in cleartext. Hence, this is an issue with the plugin.

Expected behavior:

The Google API key should be set in a variable that is not accessible to the attacker, that is, not in AndroidManifest.xml.

Steps to reproduce:

1. Follow the instructions to install the plugin in a Cordova app
2. Build the app for android
3. Decompile the app (http://www.javadecompilers.com/apk) and open the AndroidManifest.xml

Google API Key is contained in that file

Screenshots

Environment information

• Cordova CLI version 9.0.0 (cordova-lib@9.0.1)
• Cordova platform version Installed platforms: android 8.1.0 ios 5.1.1
• Plugins & versions installed in project (including this plugin) 5.0.4
• Dev machine OS and version, e.g.
  • OSX ProductName: Mac OS X ProductVersion: 10.15.5 BuildVersion: 19F101

Related code:

config.xml

    <plugin name="uk.co.workingedge.phonegap.plugin.launchnavigator" spec="5.0.4">
        <variable name="GOOGLE_API_KEY_FOR_ANDROID" value="my_google_key" />
        <variable name="OKHTTP_VERSION" value="3.+" />
    </plugin> 

AndroidManifest.xml

<?xml version='1.0' encoding='utf-8'?>
<manifest android:hardwareAccelerated="true" android:versionCode="100899" android:versionName="9.99.999" package="com.foodlion.mobile" xmlns:android="http://schemas.android.com/apk/res/android">
    <application android:allowBackup="false" android:extractNativeLibs="true" android:hardwareAccelerated="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:supportsRtl="true" android:usesCleartextTraffic="true" tools:replace="android:allowBackup" xmlns:tools="http://schemas.android.com/tools">
        ...
       <activity android:name="com.worklight.wlclient.ui.UIActivity" />
        <meta-data android:name="launchnavigator.GOOGLE_API_KEY" android:value="my_google_key" />