A security alert just popped up in my Play Console account

no earning app

Are you sure about that? From what we can tell from that screenshot it looks like one.

i see all token and url 50 time all are ok but see this problem

Well now that you deleted the screenshots we can be 100% sure you have an earning app.
Thankfully I saved the last one before you delete them:grin:


Remediation for Exposed GCP API keys

This information is intended for developers with app(s) that contain exposed Google Cloud Platform (GCP) API key(s). Locations of exposed GCP API keys in your app can be found in the Play Console notification for your app.

Additional Details

If you embed GCP API keys in your applications, those keys will become publicly available. This exposure of your API keys could lead to unexpected charges and quota changes in your app’s account. We recommend fixing this issue in your app using one of the following ways:

  1. If possible, use GCP service accounts in lieu of GCP API keys for authenticating your app. A GCP service account is a Google account associated with your GCP project. More details on creating and using service accounts can be found here.
  2. Add restrictions to your API key so that only your apps are allowed to use the API key. More details on adding restrictions to API keys can be found here.

Please review the GCP best practices for securely using API keys.

Next steps

  1. Update your app using the steps highlighted above.
  2. Sign in to your Play Console and submit the updated version of your app.

Your app will be reviewed again; if the app has not been updated correctly, you will still see the warning. This process can take several hours.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”

dear kodular please info whats a problem and how to solved it

1 Like

i have 6 kodular application on google play console but only 3 apps alert show other 3 apps is ok .

The developers of Kodular are looking into this so just be patient.


You mean to say to remove api key from the app and to include it by our own server so that Google can not see that api key in our app.

If that is true then And one more thing kodular has the facility to change firebase values in blocks but thunkable* has not. What to do?

*I know this is not thunkable platform/community. Don’t reply if anybody has problem with that.


so what problem fix thats why i delet lol

Could this step be enough? So not the server part.

no server part is important you can skip the ofuscated block step but you cannout skip the server part. As Google clearly mentions that using API in clients side app is dangerous and prohibited. So we should always keep our API in our own servers.


Or when you don’t use Google Play it should be good to :wink::grin::sunglasses:


i don’t think so because even if publish your app anywhere else then still your API is vulnerable. its just that you won’t recieve that warning and if anyone wants he can misuse our api and can even exhaust daily quota of api services. which hurts an app developer financially. so i praise google for doing this.


i also received this security alert on my apps.

What if we hash the API key and each time it is needed we just decrypt it with the salt:thinking: still not as good as a server but better than obfuscated text, isn’t it?


Maybe try and see how Google responds.

I don’t have a Developer Account :sweat_smile:

I never worked with Firebase. Maybe someone else can test it.

1 Like

any solution? base in my knowledge it’s the firebase component, which i think theirs something we need to do in token and api key, but dont know how to start