Researchers warn that hardcoded Google API keys embedded in Android apps can be extracted to authenticate to Googleβs Gemini AI, exposing developer resources and potentially user data. CloudSEK, Truffle Security, and Quokka found thousands of vulnerable keys across apps and websites, enabling attackers to access files, exhaust quotas, and bill LLM usage to victims. #Gemini #GoogleAPIKeys
Keypoints
- CloudSEK found 32 hardcoded Google API keys in 22 popular Android apps with a combined userbase of over 500 million.
- Truffle Security and Quokka discovered thousands to tens of thousands of keys across websites and 250,000 Android apps.
- βAIzaβ¦β API keys can retroactively authenticate to Gemini when AI is enabled on the project.
- Extracting keys from decompiled Android packages is trivial, making automated large-scale scraping feasible.
- Abused keys can expose uploaded files and cached content, allow arbitrary Gemini API calls, exhaust quotas, and cause billing and service disruption.