**DISCLAIMER:** This plugin is primarily for hiding your keys from version control. Since your key is part of the static binary, your API keys are still recoverable by decompiling an APK. So, securing your key using other measures like adding restrictions (if possible) are recommended.
Google should allow developers assert the api key on the runtime. With that way, using some custom encryption and/or NDK, the apikey will be way more secured.
Just for clarification and as it's stated by the host in the intro. this is only to hide your key from source control. If you are trying to fix a Leaked GCP API Keys error from playstore console, you still got the error.
The plugin prevents really trivial ways to extract an API key (i.e. source code, via PackageManager) but it does not safeguard against decompiling an APK. This is why it's still important to add key restrictions to your key.
In this video you are giving one ID and in android documentation there is different ID and in your github repo there is another new ID. I tried all 3. For all 3 i got same error "plugin id not found". Can you give updated instruction in clear steps ?
Hi Prem! There have been a few changes since the plugin was moved to Google Maven. Please refer to the installation instructions (com.google.android.libraries.mapsplatform.secrets-gradle-plugin) and feel free to file an issue on GitHub if you are still having trouble.
Hi, My app has been removed for this reason: Your app contains exposed Google Cloud Platform (GCP) API keys. Which means my api key was exposed in my code. I've applied the fix as described in the video with the latest version of the secrets-gradle-plugin. Will this help to get my back on the Google Play Store? Thanks
@Rai S I didn't resolve the problem, error still appears in Play Console. So I've tried it with Base64 decoding, I think it should solve it, currently app is in review...
@@SergiohUss Yes, I did Base64 encoding on my api key, then used it in the code as a string variable and created a function to decode it to get the original key
Yes! You can use the plugin for any kind of key that you want to hide from source control and expose via BuildConfig or manifest file. Note that those keys are still vulnerable though if your APK is decompiled.
The algorithms used to decrypt would also still be available through decompilation or reviewing the binary assemblies. While it is more difficult, it is no better than obfuscation.
@@erlangparasu6339 Again, open standards. If they can decrypt them while using them, it is not secure. Once an attacker gains physical access, all bets are off.
You could just skip this library and just put Properties properties = new Properties() properties.load(project.rootProject.file("local.properties").newDataInputStream()) buildConfigField "String", "API_KEY", "\"${properties.getProperty("API_KEY")}\"" inside the defaultConfig{} block in the app module's build.gradle, and then call your API_KEY that's inside your local.properties with BuildConfig.API_KEY lol
Correct. I'd also add this to allow the api key as metadata on AndroidManifest.xml: manifestPlaceholders = [API_KEY:"${properties.getProperty('API_KEY')}"]
Subscribe to Google Maps Platform for tutorials, tips, user stories, announcements, and more! → goo.gle/GMapsPlatform
**DISCLAIMER:** This plugin is primarily for hiding your keys from version control. Since your key is part of the static binary, your API keys are still recoverable by decompiling an APK. So, securing your key using other measures like adding restrictions (if possible) are recommended.
Google should allow developers assert the api key on the runtime. With that way, using some custom encryption and/or NDK, the apikey will be way more secured.
Just for clarification and as it's stated by the host in the intro. this is only to hide your key from source control. If you are trying to fix a Leaked GCP API Keys error from playstore console, you still got the error.
can you refer a video on how to fix that error? thanks!
omg,how to solve?
Thanks! Very brief, useful and straight to the point!
Does this keep people from being able to decompile the apk and view the api key?
The plugin prevents really trivial ways to extract an API key (i.e. source code, via PackageManager) but it does not safeguard against decompiling an APK. This is why it's still important to add key restrictions to your key.
No. All this does is hide it from source.
@@chrisarriola3578 do you know of resources to explain how to add key restrictions to your key?
In this video you are giving one ID and in android documentation there is different ID and in your github repo there is another new ID. I tried all 3. For all 3 i got same error "plugin id not found". Can you give updated instruction in clear steps ?
Hi Prem! There have been a few changes since the plugin was moved to Google Maven. Please refer to the installation instructions (com.google.android.libraries.mapsplatform.secrets-gradle-plugin) and feel free to file an issue on GitHub if you are still having trouble.
Thanks! Very very useful video!!
Will this api key be visible during the release apk decompile process?
Hi,
My app has been removed for this reason: Your app contains exposed Google Cloud Platform (GCP) API keys.
Which means my api key was exposed in my code.
I've applied the fix as described in the video with the latest version of the secrets-gradle-plugin.
Will this help to get my back on the Google Play Store?
Thanks
@Rai S I didn't resolve the problem, error still appears in Play Console.
So I've tried it with Base64 decoding, I think it should solve it, currently app is in review...
i have the same problem, did you find a solution?
@@SergiohUss Yes, I did Base64 encoding on my api key, then used it in the code as a string variable and created a function to decode it to get the original key
@@ronsivan93like this: Places initialize(this, decodeBase64function(stringInBase64))?
Thanks it's working fine.
Personally I loved the Hindi Track 😍😍.
Does this process also helpful while saving any type of keys like API keys or AES keys?
Yes! You can use the plugin for any kind of key that you want to hide from source control and expose via BuildConfig or manifest file. Note that those keys are still vulnerable though if your APK is decompiled.
If I use the plugin you typed, its working. But the one on the documentation isnt working. Why is that?
Thanks for pointing this out! I will get this corrected.
@@chrisarriola3578 Thanks! Big help
we need more secure.. something like compiled as encrypted value, auto decrypt when accessing it
This is definitely a good idea! The challenge I see here is that the key used for encryption/descryption would also need to be secured somehow.
The algorithms used to decrypt would also still be available through decompilation or reviewing the binary assemblies. While it is more difficult, it is no better than obfuscation.
how about other encryption like AES, RSA, androidkeystore?
@@erlangparasu6339 Again, open standards. If they can decrypt them while using them, it is not secure. Once an attacker gains physical access, all bets are off.
Thanks
Will it still work if I release the app?
Yep! If you would like, you can also create a separate release API key. See: github.com/google/secrets-gradle-plugin#build-variant-specific-properties
Why is the sound so terrible?
CAN WE USE THIS WITH FLUTTER ?
This can also work with Flutter by modifying, however, note that there is no equivalent solution on iOS.
yes
You could just skip this library and just put
Properties properties = new Properties()
properties.load(project.rootProject.file("local.properties").newDataInputStream())
buildConfigField "String", "API_KEY", "\"${properties.getProperty("API_KEY")}\""
inside the defaultConfig{} block in the app module's build.gradle, and then call your API_KEY that's inside your local.properties with BuildConfig.API_KEY lol
Correct. I'd also add this to allow the api key as metadata on AndroidManifest.xml:
manifestPlaceholders = [API_KEY:"${properties.getProperty('API_KEY')}"]