An Android demo app showcasing why hardcoding API keys in strings.xml is a critical security vulnerability.
When API keys are stored in res/values/strings.xml, anyone can extract them from your released APK in under a minute:
# Step 1: Decompile the APK
apktool d your_app.apk
# Step 2: Find the keys instantly
cat your_app/res/values/strings.xmlWith the extracted keys, an attacker can:
- Load Google Maps using your quota
- Query Firebase Realtime Database
- Call Routes, Air Quality, Pollen, Solar, and Weather APIs
- Rack up charges on your Google Cloud billing account
| Screen | API Used |
|---|---|
| Map with search | Maps SDK + Places API |
| Firebase Info | Firebase App options (apiKey, projectId, appId, etc.) |
| Database | Firebase Realtime Database REST API |
| Routes | Google Routes API |
| Air Quality | Google Air Quality API |
| Pollen | Google Pollen API |
| Solar | Google Solar API |
| Weather | Google Weather API |
- Clone the repo
- Create a Firebase project at console.firebase.google.com
- Download
google-services.jsonand place it inapp/ - Replace placeholders in
app/src/main/res/values/strings.xmlwith your real keys - Enable the required APIs in Google Cloud Console
- Build and run
| Bad (demonstrated here) | Good |
|---|---|
strings.xml |
local.properties + .gitignore |
| Hardcoded in code | Environment variables / CI secrets |
| No key restrictions | Restrict keys to your app's package name + SHA-1 |
| Public Firebase rules | auth != null rules on all paths |
Always restrict your API keys:
- Android apps → restrict by package name + SHA-1 fingerprint
- Maps/Places → restrict to specific APIs only
- Firebase → enable App Check
MIT — for educational and interview demonstration purposes only.