Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GOOGLE_API_KEY_FOR_ANDROID variable may lead to unauthorized access to google api key #249

Closed
5 tasks done
PDLMobileApps opened this issue Aug 17, 2020 · 0 comments · Fixed by #250
Closed
5 tasks done

GOOGLE_API_KEY_FOR_ANDROID variable may lead to unauthorized access to google api key #249

PDLMobileApps opened this issue Aug 17, 2020 · 0 comments · Fixed by #250

Comments

@PDLMobileApps
Copy link
Contributor

Bug report

CHECKLIST

  • I have reproduced the issue using the example project or provided the necessary information to reproduce the issue.
  • I have checked that no similar issues (open or closed) already exist.

Current behavior:

GOOGLE_API_KEY_FOR_ANDROID variable, which is set in the config.xml, is stored in the AndroidManifest.xml in cleartext making it possible for an attacker to access the Google API Key and use it unauthorized manner. That may lead to overbilling in pay-per-use scenarios.

The plugin requires the Google API Key to be set in the GOOGLE_API_KEY_FOR_ANDROID variable in config.xml and stores it in the AndroidManifest.xml in cleartext. Hence, this is an issue with the plugin.

Expected behavior:

The Google API key should be set in a variable that is not accessible to the attacker, that is, not in AndroidManifest.xml.

Steps to reproduce:

  1. Follow the instructions to install the plugin in a Cordova app
  2. Build the app for android
  3. Decompile the app (http://www.javadecompilers.com/apk) and open the AndroidManifest.xml

Google API Key is contained in that file

Screenshots

Environment information

  • Cordova CLI version
    9.0.0 (cordova-lib@9.0.1)
  • Cordova platform version
    Installed platforms:
    android 8.1.0
    ios 5.1.1
  • Plugins & versions installed in project (including this plugin)
    5.0.4
  • Dev machine OS and version, e.g.
    • OSX
      ProductName: Mac OS X
      ProductVersion: 10.15.5
      BuildVersion: 19F101

Related code:

config.xml

    <plugin name="uk.co.workingedge.phonegap.plugin.launchnavigator" spec="5.0.4">
        <variable name="GOOGLE_API_KEY_FOR_ANDROID" value="my_google_key" />
        <variable name="OKHTTP_VERSION" value="3.+" />
    </plugin>

AndroidManifest.xml

<?xml version='1.0' encoding='utf-8'?>
<manifest android:hardwareAccelerated="true" android:versionCode="100899" android:versionName="9.99.999" package="com.foodlion.mobile" xmlns:android="http://schemas.android.com/apk/res/android">
    <application android:allowBackup="false" android:extractNativeLibs="true" android:hardwareAccelerated="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:supportsRtl="true" android:usesCleartextTraffic="true" tools:replace="android:allowBackup" xmlns:tools="http://schemas.android.com/tools">
        ...
       <activity android:name="com.worklight.wlclient.ui.UIActivity" />
        <meta-data android:name="launchnavigator.GOOGLE_API_KEY" android:value="my_google_key" />
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@PDLMobileApps