Cybersecurity firm CloudSEK has discovered 22 Android apps, collectively installed on over 500 million devices, that contain hardcoded Google API keys for accessing Google’s Gemini AI platform. Developers mistakenly viewed API keys in the AIza format as public identifiers, not realizing they grant access to sensitive endpoints. This vulnerability arose when enabling the Gemini API without warnings, allowing existing keys to inherit access automatically. An analysis of Android apps revealed 32 live keys across various sectors, raising significant security concerns. For instance, the ELSA Speak app was found querying the Gemini Files API, revealing user-uploaded audio files. Exposed API keys can lead to unauthorized usage and generate hefty charges for developers, as seen in three cases of misuse resulting in financial losses exceeding $82,000. This issue highlights a critical flaw in API design, where public identifiers became de facto credentials for AI access, posing ongoing risks for mobile applications.
Source link
