Our client is facing an issue with unauthorized access to their Google Maps API key for the following services despite applying the recommended mitigations as per Google’s documentation:
- Staticmap
- Streetview
- Embed (Basic-Free)
What We’ve Done So Far
Created API Key Restrictions:
Application Restriction: Set to iOS apps.
Added the app’s bundle identifier (e.g., com.clientcompany.clientapp).
API Restriction: Limited to the necessary APIs:
- Maps SDK for iOS
- Geocoding API
- Places API
- Maps Static API
- Street View Static API
- Maps Embed API
- etc.
Updated Application Code:
- Ensured the client’s iOS app is using the restricted API key.
Despite these steps, Its still vulnerable to unauthorized access attempts using their API key for the services mentioned above.
Issue Description:-
- Staticmap: The API key is flagged as vulnerable and can be accessed using a URL like:rubyCopy codehttps://maps.googleapis.com/maps/api/staticmap?center=45,10&zoom=7&size=400×400&key={{APIKEY}}
- Streetview: Similar issue with URLs such as:rubyCopy codehttps://maps.googleapis.com/maps/api/streetview?size=400×400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key={{APIKEY}}
- Embed (Basic-Free): Vulnerable with embedded map links like:arduinoCopy code
Request for Assistance
Could someone please help us identify what might be going wrong? Here are some specific questions we have:
Is there any additional step we might be missing in restricting the API key for iOS applications?
Are there any known issues or bugs related to API key restrictions for iOS that we should be aware of?
Any best practices or recommendations to ensure the API key is not misused for Staticmap, Streetview, and Embed APIs?
We appreciate any insights or advice you can provide. Thank you in advance for your help!
Hp Sl7 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.