🔐 I Found a Hardcoded Google API Key in a Popular Food App (and It Was Too Easy 🍟🔑)

☕ “Woke up, scanned an APK, found a secret. Just hacker things.”

While playing around with my custom APK vulnerability scanner (yes, I made one — because why not?), I stumbled upon a pretty critical bug in a popular food delivery app with millions of downloads. The kind of bug that would make a security triager say:

“Bro, are you serious?”

Let’s walk through the finding, how I automated it, and why hardcoding secrets is a huge no-no.

🚨 Vulnerability: Hardcoded Google API Key

Yup. Plaintext. In the APK. Just chilling in strings.xml like it pays rent.

🔍 Pattern:

AIza[0-9A-Za-z\\-_]{35}

That’s the signature of a Google API Key. If it isn’t properly restricted, it can lead to:

• Free rides for attackers on your Google Cloud bill
• Firebase access (in worst cases)
• Quota exhaustion
• And chaos in general

⚙️ My Scanner Did This (in Seconds)

Here’s how my automated scanner flagged it:

grep -Eo 'AIza[0-9A-Za-z\-_]{35}' res/values/strings.xml

Output:

[Critical] Hardcoded Google API Key found
File: res/values/strings.xml
Key: AIzaSyD4XxY1xYwJpK0lm2nQdW9aB3s_KmBkT-AE

(🔒 Redacted here. I’m not that guy.)

🧪 Manual PoC

1. Decompile the APK:

apktool d appname.apk -o app_decompiled

2. Navigate to:

app_decompiled/res/values/strings.xml

3. Search for the pattern:

grep -Eo 'AIza[0-9A-Za-z\-_]{35}' strings.xml

That’s it. No root. No MITM. Just some CLI magic. 😎

🧠 Impact: It’s Not Just a String

• 🔥 API key abuse (Maps, Directions, Places, Firebase, etc.)
• 💸 Financial loss (you pay, attacker plays)
• 🧵 Data leakage (if tied to Firebase, oh boy)
• 📉 Brand damage (especially when the bug bounty report says: “Found in 5 minutes.”)

🛡️ How Devs Should Fix This

1. Never store secrets in client-side code — ever.
2. Use a backend proxy to sign and forward requests securely.
3. If you must keep it on the device, use Android Keystore, encrypt it, and restrict access.
4. Restrict the API key via:

• SHA-1 + package name (for Android)
• IP or referrer (for web/server)

💡 Bonus: Automate Like a Pro

This is literally the kind of bug you can automate 100%:

• Create a regex dictionary of common secrets
• Recursively scan all decompiled XML and Smali files
• Flag and log anything juicy
• Add severity rating based on regex hit + file path

(I can share the full scanner code if this post gets enough love. 😏)

☕ Hacker’s Note:

It’s not about finding random bugs — it’s about finding real-world exploitable issues that an attacker can abuse, and that a triager won’t ignore. This one was:

• Easy to find
• Realistically dangerous
• And absolutely avoidable

🧠 Security is not a feature. It’s a process. One grep at a time.