New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security concern for Google Key #51

Open
sandropoluan opened this Issue Jul 8, 2017 · 4 comments

Comments

Projects
None yet
5 participants
@sandropoluan

sandropoluan commented Jul 8, 2017

import Geocoder from 'react-native-geocoder'; // simply add your google key Geocoder.fallbackToGoogle(MY_KEY);
Is it save to put the KEY on javascript file (client side) ?
Will it not be readable by someone?

@sibelius

This comment has been minimized.

sibelius commented Jul 8, 2017

You can use react-native-dotenv and keep your keys outside the code

@brunsy

This comment has been minimized.

brunsy commented Aug 2, 2017

@sandropoluan, The app keys can still be reverse engineered. You will need to design your app with that in mind.

@victorbadila

This comment has been minimized.

victorbadila commented Sep 11, 2017

to comment on this I think it is definitely not safe, however I don't think there is any alternative to this if you want to fallback to google api solely from the client app. the fallback thing is optional though, so up to each one whether they want to risk exposing their key or not. would adding this warning to the README.md documentation be enough in order to close this issue?

@gareys

This comment has been minimized.

gareys commented Jun 9, 2018

I know this is stale, but you have to place your API key in the client-side application for the client-side google maps api to work. That being said, they allow you to restrict access to IP addresses, referrer URLs and mobile apps. Client side maps API keys are everywhere, you just have to restrict access to them appropriately to avoid being exploited. See https://stackoverflow.com/a/39625963/5380634 and https://console.developers.google.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment