this post was submitted on 01 May 2024
12 points (100.0% liked)

Programming

17494 readers
41 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
12
Question regarding use of Android/Google API usage. (self.programming)
submitted 6 months ago by Sunny to c/programming@programming.dev
4 comments fedilink hide all child comments
 

Hi, reaching out here, as I assume and hope that this community is the one that has the better knowledge on the use of API keys.

I'm currently investigating a couple of free VPNs, e.g. APKs, for my thesis. I've stumbled upon many of these VPNs leaving API keys, auth key etc.. hardcoded into the app. However, one API key in particular is the one used by android.gms.internal.ads. This key is present in multiple different apps, not just VPN apps, but other complete random apps. Now, I am no programmer, and that's why I'm asking for some pointers to get a better understanding of this. How come this API-key, belonging to a Google Service, is present in so many different apps? I've tried to look it up, and found another malware report from 2021, that highlight finding the same API-key.

The API Key is: AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE

Code example key being found in;

public final class zzadt {
    private static zzacy<String> zzdfw = zzacy.zzh("gads:safe_browsing:api_key", "
AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE
");

Is there a good reason for this API key being reused so many times? Appreciate any pointers or help!

you are viewing a single comment's thread
view the rest of the comments
[–] Sunny 2 points 6 months ago (1 children)

Thanks very much for the clarification! I did try to register my own API key, and look around Google documentation to find the same one, but wasn't able to. Also weren't aware of there being such API keys, and software I was using was flagging this as a medium severity - so I ofc thought it was worse than it was/is... Anyway, thanks for answering my question :=)

[–] Max_P@lemmy.max-p.me 4 points 6 months ago (1 children)

https://github.com/googleads/googleads-mobile-flutter/issues/622

It looks like it used to be bundled as part of binaries shipped by Google with the Google Ads SDK so that'd be why it's not exactly documented. Developers just bundle it in their app and presto, ads are displayed.

I'd be skeptical of scanners just spewing "security vulnerabilities". That malware report is of very poor quality, and they incorrectly identified this key as an API key leak with no idea what it is nor what it does because it's not relevant. It's also claiming it's downloading files... using private IP addresses in the 10.0.0.0/8 range? Nonsense. That report is a lame report to pad their portfolio of "security researchers".

[–] Sunny 1 points 6 months ago

Yeah I spotted the same haha, just fount it by looking around for results including that key in specific. Thanks for clarifying all of this, its been quite helpful!