Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access

Security researchers have identified a vulnerability where Google API keys embedded in Android applications can be extracted through code decompilation, exposing Gemini AI endpoints to unauthorized access. This issue affects dozens of applications where developers hardcoded credentials directly into app code. Threat actors can decompile applications, extract API keys, and gain access to all Gemini endpoints. The vulnerability stems from insecure API key storage practices. Organizations should audit Android applications for hardcoded credentials, implement secure key storage using environment variables or secrets management solutions, and enforce proper key rotation policies. Developers should also implement API rate limiting and monitoring to detect potential abuse.

Dozens of such keys can be extracted from apps’ decompiled code to gain access to all Gemini endpoints. The post Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access appeared first on SecurityWeek .

Security researchers have identified a vulnerability where Google API keys embedded in Android applications can be extracted through code decompilation, exposing Gemini AI endpoints to unauthorized access. This issue affects dozens of applications where developers hardcoded credentials directly into app code. Threat actors can decompile applications, extract API keys, and gain access to all Gemini endpoints. The vulnerability stems from insecure API key storage practices. Organizations should audit Android applications for hardcoded credentials, implement secure key storage using environment variables or secrets management solutions, and enforce proper key rotation policies. Developers should also implement API rate limiting and monitoring to detect potential abuse. Dozens of such keys can be extracted from apps’ decompiled code to gain access to all Gemini endpoints. The post Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access appeared first on SecurityWeek . Dozens of such keys can be extracted from apps’ decompiled code to gain access to all Gemini endpoints. The post Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access appeared first on SecurityWeek .