How to hide API Keys in AndroidManifest.xml
There is no way for you to obfuscate the key stored in your Manifest as the stored (static) value will be directly used by the Google Maps API itself. To secure your key, consider adding restrictions in your GCP console so that only authorized clients can use your key.
See this link for more details: https://developers.google.com/maps/documentation/android-sdk/get-api-key#restrict_key
Here's more information about the best practices to securing your API keys: https://developers.google.com/maps/api-key-best-practices#api_key_table
Comments
-
SRR over 1 year
I've just started Google Maps plugin for Flutter and it required me to insert the generated API key into the
AndroidManifest.xmlfile inandroid/app/src/main/AndroidManifest.xml. A few moments later I committed it to my repo and immediately got a warning from Google and Git to change generate a new key etc (didn't know you weren't supposed to do that so I'm well aware now).After, I began searching ways to hide API keys. One solution is to use the Flutter Secure Storage plugin but that only helps (I think) within a
.dartfile. Another is to create a separate file and add it to .gitignore but when I build the APK won't that file also be bundled?Ideally I'd like to publish it but I wouldn't want the key to be easily accessible so how can I load the API key into the
AndroidManifest.xmlfile without using plaintext? I would like to avoid using a backend so I was thinking I could manually hash it and then unhash at runtime, but I still don't know how to dynamically change theAndroidManifest.xmlfile. -
SRR over 4 yearsIf I restrict the key in the GCP does this mean I can bundle it with my APK in production?
-
Christilyn Arjona over 4 years@S.Ramjit Yes that's correct. As long as you've configured the restrictions properly, you don't have to worry about unauthorized usages. It's also a good practice to monitor your usage in your GCP console.