from Sunny@slrpnk.net to programming@programming.dev on 01 May 18:28
https://slrpnk.net/post/9136883
Hi, reaching out here, as I assume and hope that this community is the one that has the better knowledge on the use of API keys.
I’m currently investigating a couple of free VPNs, e.g. APKs, for my thesis. I’ve stumbled upon many of these VPNs leaving API keys, auth key etc… hardcoded into the app. However, one API key in particular is the one used by android.gms.internal.ads. This key is present in multiple different apps, not just VPN apps, but other complete random apps. Now, I am no programmer, and that’s why I’m asking for some pointers to get a better understanding of this. How come this API-key, belonging to a Google Service, is present in so many different apps? I’ve tried to look it up, and found another malware report from 2021, that highlight finding the same API-key.
The API Key is: AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE
Code example key being found in;
public final class zzadt {
private static zzacy<String> zzdfw = zzacy.zzh("gads:safe_browsing:api_key", "
AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE
");
Is there a good reason for this API key being reused so many times? Appreciate any pointers or help!
threaded - newest
Some of those keys are public knowledge and only serves to tie what client it is (Chromium, Firefox, Safari probably) or otherwise stolen from one of those. This is a safe browsing API key, it’s used to check if sites have been marked as phishing/scam/etc and is used to warn users that the site is known to be malicious. Others are used to tie analytics or ads to the app, so it goes into the right developer’s account metrics.
I wouldn’t call those leaked, they’re meant to be embedded into apps and aren’t considered as secret keys.
It’s common practice to use API keys like that even if they’re not so secret, just for the sake of tracking which app is making what requests and so people can’t just openly use the API. You can easily shut down unapproved clients by just rolling out a new key, and it causes an annoying whack-a-mole game to constantly have to extract them from an APK.
Thanks very much for the clarification! I did try to register my own API key, and look around Google documentation to find the same one, but wasn’t able to. Also weren’t aware of there being such API keys, and software I was using was flagging this as a medium severity - so I ofc thought it was worse than it was/is… Anyway, thanks for answering my question :=)
github.com/googleads/…/622
It looks like it used to be bundled as part of binaries shipped by Google with the Google Ads SDK so that’d be why it’s not exactly documented. Developers just bundle it in their app and presto, ads are displayed.
I’d be skeptical of scanners just spewing “security vulnerabilities”. That malware report is of very poor quality, and they incorrectly identified this key as an API key leak with no idea what it is nor what it does because it’s not relevant. It’s also claiming it’s downloading files… using private IP addresses in the 10.0.0.0/8 range? Nonsense. That report is a lame report to pad their portfolio of “security researchers”.
Yeah I spotted the same haha, just fount it by looking around for results including that key in specific. Thanks for clarifying all of this, its been quite helpful!