Hi, reaching out here, as I assume and hope that this community is the one that has the better knowledge on the use of API keys.

I’m currently investigating a couple of free VPNs, e.g. APKs, for my thesis. I’ve stumbled upon many of these VPNs leaving API keys, auth key etc… hardcoded into the app. However, one API key in particular is the one used by android.gms.internal.ads. This key is present in multiple different apps, not just VPN apps, but other complete random apps. Now, I am no programmer, and that’s why I’m asking for some pointers to get a better understanding of this. How come this API-key, belonging to a Google Service, is present in so many different apps? I’ve tried to look it up, and found another malware report from 2021, that highlight finding the same API-key.

The API Key is: AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE

Code example key being found in;

public final class zzadt {
    private static zzacy<String> zzdfw = zzacy.zzh("gads:safe_browsing:api_key", "
AIzaSyDRKQ9d6kfsoZT2lUnZcZnBYvH69HExNPE
");

Is there a good reason for this API key being reused so many times? Appreciate any pointers or help!

  • Sunny' 🌻@slrpnk.netOP
    link
    fedilink
    arrow-up
    2
    ·
    7 months ago

    Thanks very much for the clarification! I did try to register my own API key, and look around Google documentation to find the same one, but wasn’t able to. Also weren’t aware of there being such API keys, and software I was using was flagging this as a medium severity - so I ofc thought it was worse than it was/is… Anyway, thanks for answering my question :=)

    • Max-P@lemmy.max-p.me
      link
      fedilink
      arrow-up
      4
      ·
      7 months ago

      https://github.com/googleads/googleads-mobile-flutter/issues/622

      It looks like it used to be bundled as part of binaries shipped by Google with the Google Ads SDK so that’d be why it’s not exactly documented. Developers just bundle it in their app and presto, ads are displayed.

      I’d be skeptical of scanners just spewing “security vulnerabilities”. That malware report is of very poor quality, and they incorrectly identified this key as an API key leak with no idea what it is nor what it does because it’s not relevant. It’s also claiming it’s downloading files… using private IP addresses in the 10.0.0.0/8 range? Nonsense. That report is a lame report to pad their portfolio of “security researchers”.

      • Sunny' 🌻@slrpnk.netOP
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Yeah I spotted the same haha, just fount it by looking around for results including that key in specific. Thanks for clarifying all of this, its been quite helpful!