2

Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.

Vulnerable locations:

com.abc.Youtube_Player->onCreate

This is How my code look at the back end

public class Youtube_Player extends AppCompatActivity implements YouTubePlayer.OnInitializedListener {

    // YouTube player view

    public static final String GOOGLE_API_KEY = "<api key>";

    @Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_youtube__player);

    // Initializing video player with developer key
    mPlayerView.initialize(GOOGLE_API_KEY, this);
   }
}
Rohit Kumar Sehrawat
  • 132
  • 1
  • 3
  • 17

3 Answers3

7

You have API Key in the code. As a best practice, you should keep the secret keys in a secure system like Google Secret Manager, HashiCorp Vault, encrypted secure GCS Bucket etc.. If these option are not feasible for you, still try to put secret keys in some other property file and control access of that file.

pradeep
  • 3,962
  • 6
  • 26
  • 44
  • Thanks pradeep.I have implemented the above answer and hope play store will reove its warning. If its doesn't work. i will try your answer. Currently this is problem i m facing, if you know the answer. Kindly share https://stackoverflow.com/questions/59855432/manifest-merger-failed-attribute-applicationappcomponentfactory-value-androi – Rohit Kumar Sehrawat Jan 22 '20 at 10:56
1

You have define your api key with 'public static' it means your api key access any where in the app.And chance to leak your api key.You need to change from 'public static' to private.

ashok
  • 433
  • 5
  • 8
0

Complete guide for use API Keys and avoid Leaked GCP API Keys security issue in Google Play Console : https://stackoverflow.com/a/71155071/13387867

Milan Maji
  • 41
  • 4