search

googleads / googleads-mobile-android-examples

googleads-mobile-android
Apache License 2.0
1.7k stars 1.87k forks source link

[Security] Leaked GCP API Keys #675

Closed Mercandj closed 4 months ago

Mercandj commented 4 months ago

Hello, thks for your great work.

After releasing on the PlayStore, the pre-launch report is detecting a leaked GCP API Key from library: com.google.android.gms:play-services-ads-lite:23.0.0@aar

Screenshot 2024-05-04 at 08 51 54

Decompiled code is "available" here and seems to show: "gads:safe_browsing:api_key", "AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE"

On the play-services-ads-lite:23.0.0 version, the issue seems to come from the com.google.android.gms.internal.ads.zzbii class:

Screenshot 2024-05-04 at 09 00 08

Proposition to hide the secret: get it from backend, AES, or the Google library secrets-gradle-plugin.

Related issues:

Thks for your great sample and feel free to tell me if this issue is not related to the sample so should be open on another repository.

NVentimiglia commented 4 months ago

@Mercandj

Thank you. I have submitted this report.