2

Recently I received this Alert in the Google Play Console

Your app contains exposed Google Cloud Platform (GCP) API keys

I am using the YouTubeApi Player, and I believe the only why you can initialize it is using this line of code

youTubePlayer.initialize(DEVELOPER_KEY, this);

So beside added restrictions to my API key, is there any other way to remove the API Key from the code?

I tried using the GCP service accounts as suggested by Google, but I do not see how I can still use the YouTube Player without the initialize line of code.

j.t.h.
  • 111
  • 1
  • 11

2 Answers2

3

I have same problem, and fixed this by using string R.string.google_api_key generated by google_services.json

change your code to:

youTubePlayer.initialize(getString(R.string.google_api_key), this);

how to get google_services.json:

Bamz3r
  • 149
  • 1
  • 6
0

There are some tips on how to secure your API keys at Using API Keys documentation.

It is stated that embedding API keys directly in the code should be avoided, which is the way you are having it right now, therefore you are getting the warning message.

Follow the tips on that page and you should properly secure your API key. As soon as you do so, the warning will go away.

UPDATE

To avoid having a long discussion in comments, allow me to elaborate further providing this update.

Google provides different ways of authentications to give you more options for securing your apps based on your needs. The warnings are helpful tips to make your apps more secure when going in production or exposing to public. So in your case, it would be better to use a different way of authentication.

API keys can be used in server side. e.g. If you are using an API key to authenticate a 3rd party service from an App Engine app, you can use this key as you already have it, since it is impossible for the key to get exposed. (Avoid using API keys in JavaScript since inspecting the page in the browser will expose the API key as well)

In your case, since you are developing an Android app and/or an iOS app, having the API key in the code is dangerous. Because, anyone can use the .apk or the .ipa file and find a way to access it. Therefore, for developing Android apps and iOS apps it is suggested going with different authentication method. The other authentication method supported in YouTube player API is using OAuth 2.0. For more information you can check the Registering your application documentation.

Andrei Cusnir
  • 2,635
  • 1
  • 12
  • 21
  • 1
    The issue is that the YouTube Player needs: `youTubePlayer.initialize(DEVELOPER_KEY, this);` – j.t.h. Aug 08 '19 at 14:03
  • I can add restrictions to my API key, I was looking for a way to hide the API key and still pass it to the `init` of the youTubePlayer. – j.t.h. Aug 08 '19 at 14:05
  • I see. Well the YouTube Player API needs the `DEVELOPER_KEY` as string to be there, but instead of embedding it in the code as you are currently doing, you can `store them in environment variables or in files outside of your application's source tree.` as it is stated in the Documentation I shared above. Which means that you can have it as encrypted string in a file outside of your app's code. Load the file, decode it and then use it. – Andrei Cusnir Aug 08 '19 at 14:24
  • That is what I was looking for, an example of storing the key externally and then reading it in. I had read the documentation you provide about before, and it mentioned using a `GCP service account` but I believe that will not work since, it expects the APIs to automatically read in the credentials which the YouTube API can't. – j.t.h. Aug 08 '19 at 18:07
  • The `GCP service account` that you refer to in the documentation, is used within the Google Services. e.g. if you are using Cloud SQL, a Cloud SQL service account will appear in the IAM roles and if you are using Cloud Build, a Cloud Build service account will appear in the IAM roles. Therefore, if you want to access Cloud SQL with Cloud Build, instead of using the API keys you can authenticate those service accounts to access each other within IAM roles. This is what it means. – Andrei Cusnir Aug 09 '19 at 07:24
  • Now that I take a deeper look at the documentation, I understand that it points you to use the API key for testing purposes only and use a different authentication method in production. Because `store them in environment variables or in files outside of your application's source tree.`, means that after you release your app, the file and the environmental variable will not be there, therefore it will not be able to authenticate with an API key. – Andrei Cusnir Aug 09 '19 at 07:40
  • My suggestion is to use a different authentication method, that will be more secure, otherwise you can bypass the warning (**WHICH IS NOT RECOMMENDED**), by splitting the API key in parts and assembling it before using it. You can see this [Stackoverflow](https://stackoverflow.com/a/56964127/4037220) answer. However, keep in mind that if your source code is exposed, the API key is exposed as well. – Andrei Cusnir Aug 09 '19 at 07:44
  • There is very little specific help for iOS and Android developers on that Securing an API key link. – funkybro Aug 09 '19 at 07:46
  • Seems Google panics everybody with those warning messages but do not actually provide specific advice on what to do instead. So developers put in those hacks like splitting those API keys and hope for the best. – funkybro Aug 09 '19 at 07:47
  • I have updated my answer providing more information on various ways of authenticating your apps as well as when and why an API key can be helpful. Please check my answer again, I hope it is helpful. – Andrei Cusnir Aug 09 '19 at 08:40