Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access

Threat actors can extract Google API keys embedded in Android applications to gain access to Gemini AI endpoints and compromise data, CloudSEK warns.

For over a decade, Google has said that API keys for public services such as Maps are not secrets, but recent research from Truffle Security showed that these keys can be used to authenticate to the Gemini AI assistant, potentially exposing personal data.

“We scanned millions of websites and found nearly 3,000 Google API keys that now also authenticate to Gemini even though they were never intended for it. With a valid key, an attacker can access uploaded files, cached data, and charge LLM-usage to your account,” Truffle said in February.

Further research from mobile security firm Quokka (formerly known as Kryptowire) led to the discovery of over 35,000 unique keys across 250,000 Android applications.

“Because Android applications can be easily unpacked and inspected ...