this post was submitted on 01 May 2024
12 points (100.0% liked)

Programming

17494 readers
41 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
12
Question regarding use of Android/Google API usage. (self.programming)
submitted 6 months ago by Sunny to c/programming@programming.dev
4 comments fedilink hide all child comments
 

Hi, reaching out here, as I assume and hope that this community is the one that has the better knowledge on the use of API keys.

I'm currently investigating a couple of free VPNs, e.g. APKs, for my thesis. I've stumbled upon many of these VPNs leaving API keys, auth key etc.. hardcoded into the app. However, one API key in particular is the one used by android.gms.internal.ads. This key is present in multiple different apps, not just VPN apps, but other complete random apps. Now, I am no programmer, and that's why I'm asking for some pointers to get a better understanding of this. How come this API-key, belonging to a Google Service, is present in so many different apps? I've tried to look it up, and found another malware report from 2021, that highlight finding the same API-key.

The API Key is: AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE

Code example key being found in;

public final class zzadt {
    private static zzacy<String> zzdfw = zzacy.zzh("gads:safe_browsing:api_key", "
AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE
");

Is there a good reason for this API key being reused so many times? Appreciate any pointers or help!

you are viewing a single comment's thread
view the rest of the comments
[–] Max_P@lemmy.max-p.me 6 points 6 months ago (1 children)

Some of those keys are public knowledge and only serves to tie what client it is (Chromium, Firefox, Safari probably) or otherwise stolen from one of those. This is a safe browsing API key, it's used to check if sites have been marked as phishing/scam/etc and is used to warn users that the site is known to be malicious. Others are used to tie analytics or ads to the app, so it goes into the right developer's account metrics.

I wouldn't call those leaked, they're meant to be embedded into apps and aren't considered as secret keys.

It's common practice to use API keys like that even if they're not so secret, just for the sake of tracking which app is making what requests and so people can't just openly use the API. You can easily shut down unapproved clients by just rolling out a new key, and it causes an annoying whack-a-mole game to constantly have to extract them from an APK.

[–] Sunny 2 points 6 months ago (1 children)

Thanks very much for the clarification! I did try to register my own API key, and look around Google documentation to find the same one, but wasn't able to. Also weren't aware of there being such API keys, and software I was using was flagging this as a medium severity - so I ofc thought it was worse than it was/is... Anyway, thanks for answering my question :=)

[–] Max_P@lemmy.max-p.me 4 points 6 months ago (1 children)

https://github.com/googleads/googleads-mobile-flutter/issues/622

It looks like it used to be bundled as part of binaries shipped by Google with the Google Ads SDK so that'd be why it's not exactly documented. Developers just bundle it in their app and presto, ads are displayed.

I'd be skeptical of scanners just spewing "security vulnerabilities". That malware report is of very poor quality, and they incorrectly identified this key as an API key leak with no idea what it is nor what it does because it's not relevant. It's also claiming it's downloading files... using private IP addresses in the 10.0.0.0/8 range? Nonsense. That report is a lame report to pad their portfolio of "security researchers".

[–] Sunny 1 points 6 months ago

Yeah I spotted the same haha, just fount it by looking around for results including that key in specific. Thanks for clarifying all of this, its been quite helpful!