Is the google maps apiKey in app.json safe?

Expo SDK
1
  1. SDK Version:48
  2. Platforms(Android):

In the docs it says

android.config

Note: This property key is not included in the production manifest and will evaluate to undefined. It is used internally only in the build process, because it contains API keys that some may want to keep private.

so where is it stored? is it accessible by inspecting the apk? how does react-native-maps access it?

2

so where is it stored?

In apk/aab

is it accessible by inspecting the apk? how does react-native-maps access it?

yes, it’s accessible, so app can just read it from the disk

Is the google maps apiKey in app.json safe?

That depends what you mean by safe:

  • If you mean whether this is correct use of maps key, then yes. It’s expected to be stored in places where it can be accessed for third party actors.
  • If you mean whether it’s protected against unauthenticated access, then no.

There is no way to secure anything client side.

This property key is not included in the production manifest and will evaluate to undefined .

This statement does not mean it won’t be included in a build, it’s just saying it won’t be included in manifest, (so it won’t be a part of an update)

3

Hi @leoperez.dev

In addition to what wkozyra said, you should restrict the API key so that Google will only allow requests from your Android app using that key. See this video for how that is done.

See the Google docs for more details:

1 Like
4

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.