Google’s latest API key architecture has caused a major ruckus in the industry. According to a post published by CloudSEK, an application programming interface (API) key architecture that was dubbed safe by the tech giant has been leaking app data. If a hacker exploits the same, then they will be able to expose the data users share with the chatbot and can also make unauthorised Gemini API calls.
Google said that the API is safe in order to add to the codebase of Android apps, but it suddenly started getting credential privileges after integration with applications. Previously, Truffle Security found a similar flaw on a Google Cloud project.
The mobile app security search engine BeVigil, by CloudSEK, scanned the top 10,000 Android apps and identified that 32 live Google API keys have been hardcoded in 22 different applications that have more than 500 million installs on a collective basis. The most popular apps in this category are WAStickersApps, HD Sticker & Pack, the Hindu, Oyo Hotel, Google Pay for Business, ISS Live Now, and a lot more to mention here.
How Hackers Breached Supercomputer In China To Steal Fighter Jet And War Simulation Data
What’s more is that the report claims the API key format Alza… is added to the app when a developer wants to embed Maps or Firebase, according to the documentation instructions by Google. From a user point of view, the data they share with Gemini like images, audio, and documents, are all stored in the Files API, and now is at risk of being used by bad actors. Furthermore, the cached AI context can also be read, copied, or exfiltrated by a hacker.
Developers and publishers are also at risk because the Gemini API integration is paid, and if hackers make unauthorised usage, the bills can go high. As per CloudSEK, all developers and companies should review the API keys in the GCP project and avoid hardcoding any key in the mobile app source code.
