privatize maps api key #12
Description
revoke current maps api key eventhough it is restricted to my packagename and sha fingerprint.
Step 1: Store the Key Locally
This method keeps your API key on your local machine and out of your public code repository.
- Add the Key to local.properties
Open the local.properties file in your Android project's root directory. If this file doesn't exist, create it. Add your API key as a new line. It's a good practice to name the variable clearly.
Properties
# local.properties (DO NOT COMMIT THIS FILE)
MAPS_API_KEY="YOUR_GOOGLE_MAPS_API_KEY_HERE"
- Add local.properties to .gitignore
Ensure that your local.properties file is never tracked by Git. Open your project's root .gitignore file and make sure it contains the following line. It's usually there by default in new Android Studio projects.
Code snippet
# .gitignore
local.properties
- Load the Key in build.gradle.kts (or build.gradle)
Now, you need to load this key into your Gradle build script so your app can access it.
Open your app-level build.gradle.kts (Kotlin DSL) or build.gradle (Groovy) file.
For build.gradle.kts (Kotlin DSL):
Kotlin
// build.gradle.kts (Module :app)
import java.util.Properties
import java.io.FileInputStream
// ... other plugins
val localProperties = Properties()
val localPropertiesFile = rootProject.file("local.properties")
if (localPropertiesFile.exists()) {
localProperties.load(FileInputStream(localPropertiesFile))
}
android {
// ...
defaultConfig {
// ...
// Makes the API key available as a string resource
resValue("string", "maps_api_key", localProperties.getProperty("MAPS_API_KEY", ""))
// Or makes it available in the BuildConfig class
buildConfigField("String", "MAPS_API_KEY", "\"${localProperties.getProperty("MAPS_API_KEY")}\"")
}
// ...
}
- Use the Key in AndroidManifest.xml
Finally, reference the key in your AndroidManifest.xml file.
XML
<application>
...
<meta-data
android:name="com.google.android.geo.API_KEY"
android:value="@string/maps_api_key" />
...
</application>
Now, anyone who clones your open-source repository will need to create their own local.properties file with their own API key to build the project. You should add instructions for this in your README.md file.
Step 2: Restrict the API Key (Crucial)
This is the most important security step. It locks your API key so it can only be used by your specific Android app, even if it gets leaked.
Go to the Google Cloud Console > APIs & Services > Credentials.
Click on the name of your API key.
Under Application restrictions, select Android apps.
Click ADD AN ITEM.
Enter your app's Package name (e.g., com.example.myapp).
Enter the SHA-1 certificate fingerprint of your signing key.
You'll need to add the SHA-1 fingerprints for both your debug key (for development) and your release key (for the published app). You can find these using the Gradle signingReport command in the Android Studio terminal:
Bash
./gradlew signingReport
This will list the SHA-1 fingerprints for all your build variants.