Bug: when used on Android, it misses some important Proguard rules

[AndroidDeveloperLB]

This: https://issuetracker.google.com/issues/174494519

Sadly was told this isn't an official SDK for Android, but it's still what we have for it.

[jpoehnelt]

This library is not intended to run on Android. No proguard rules will be added.

[AndroidDeveloperLB]

@jpoehnelt Can you please at least update the main repository, to show how people should use it, if used on Android? It's a Java library, so if it's possible to use it on Android, it's an advantage. Please write which Proguard rules we should add in this case.

[jpoehnelt]

I reopened this as a feature request to add proguard rules. If someone in the community wants to add these that would be appreciated.

[AndroidDeveloperLB]

@jpoehnelt Well, at least according to what I've found, this should work:

-keep class com.google.maps.** { *; }

But maybe it's too much or too little. I might be wrong on this, because I use the library for very specific stuff...

[arriolac]

The ProGuard rule you mentioned above will work however this is not something we will add on the README since this library is not meant to be used on Android.

[AndroidDeveloperLB]

@arriolac It's a Java library. Android usually supports Java libraries. And here it's quite "pure" Java, so I don't see why not .

[arriolac]

As the README says:

"This library is not intended for use inside of an Android app, due to the potential for loss of API keys."

To explain this further, if you use this library in your Android app, your app's APK will contain an API key without the proper Application restrictions. The "Android apps" Application restrictions when you restrict your API key is only enforced if you use the Android-specific SDKs. So, it's a security risk to distribute an app that uses this library since your API key can be recovered from your app.

[AndroidDeveloperLB]

Using Google's solution as on the demos will make it secure? How so? After all, the key has to be saved in the app, one way or another...

[arriolac]

Yes, it is more secure assuming you apply application restrictions on your API key. This way, if you API was somehow recovered it won't result in unintended charges if they try to use it since API requests would only work in the context of your app. If you're not already doing so, it's also a good idea to also hide your API key from version control. We have a Gradle plugin that can help with that.

[AndroidDeveloperLB]

@arriolac But for both of them you need the API key, and for both you have the control on the website of restricting it. Once you get the API key, you can fake the app, no? Using same package name? What do you mean "hide your API key from version control." ? How can the repository you offered help? In the end, the key is inside the APK file, one way or another.

[arriolac]

You can't fake the app with just the package name since the restriction requires having the same signing-certificate fingerprint. The plugin I shared is exactly what I described, it helps facilitate excluding your API key from version control which is yet another layer of protection around your keys

[AndroidDeveloperLB]

@arriolac I don't understand. In the end, it's a communication with the server. It's some simple GET/POST request with API key. The server can't know if it's a legit app or not. Why would the " signing-certificate fingerprint" of the app matter here? And how is it related to API key? Is it obfuscated using the signature of the app ?

[arriolac]

The SHA-1 fingerprint of the certificate used to sign the app is also sent to the server. So if the application restriction (package name and signing-certificate fingerprint) that you added doesn't match the fingerprint of a request, then the request would be rejected.

[AndroidDeveloperLB]

@arriolac Can't the bytes that are sent over the communication be captured and copied?

[marcin-adamczewski]

@arriolac As the library is recommended to be used in Android now, what about adding proguard rules to README?

I tried to do Geocoding but geometry field of GeocodingResult class didn't exist. For now, I fixed it by adding the -keep class com.google.maps.** { *; } rule. I don't know if this is enough so it would be nice to have these rules in README.