Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android: How to use GCP service account for Android app

I am using Google directions api in my app. Recently, I got warning from Google about the API key saying:

Your app contains exposed Google Cloud Platform (GCP) API keys

This is because the directions API needs auth key(I have that key in strings.xml file, and appending it from there). On the console, package name and SHA1 for app is already added alongwith restricting the API. I read about setting up GCP service account but not getting idea of how to use it. As per docs, we should set environment variable and provide credentials through it. Does this means I have to store the generated json file in my application and get credentials from there(as mentioned in the docs). If not, then what should be best approach for mobile apps.

Update: The generated google-services.json itself has api key in it.

like image 955
Nitish Avatar asked Nov 16 '22 04:11

Nitish


1 Answers

The best source for this is the Google Documentation itself

From the docs -

If you embed GCP API keys in your applications, those keys will become publicly available. This exposure of your API keys could lead to unexpected charges and quota changes in your app’s account. We recommend fixing this issue in your app using one of the following ways:

  1. If possible, use GCP service accounts in lieu of GCP API keys for authenticating your app. A GCP service account is a Google account associated with your GCP project. More details on creating and using service accounts can be found here.

  2. Add restrictions to your API key so that only your apps are allowed to use the API key. More details on adding restrictions to API keys can be found here.

Please review the GCP best practices for securely using API keys.

like image 67
Thalish Sajeed Avatar answered Jan 20 '23 16:01

Thalish Sajeed