Issue
I've just started Google Maps plugin for Flutter and it required me to insert the generated API key into the AndroidManifest.xml file in android/app/src/main/AndroidManifest.xml. A few moments later I committed it to my repo and immediately got a warning from Google and Git to change generate a new key etc (didn't know you weren't supposed to do that so I'm well aware now).
After, I began searching ways to hide API keys. One solution is to use the Flutter Secure Storage plugin but that only helps (I think) within a .dart file. Another is to create a separate file and add it to .gitignore but when I build the APK won't that file also be bundled?
Ideally I'd like to publish it but I wouldn't want the key to be easily accessible so how can I load the API key into the AndroidManifest.xml file without using plaintext? I would like to avoid using a backend so I was thinking I could manually hash it and then unhash at runtime, but I still don't know how to dynamically change the AndroidManifest.xml file.
Solution
There is no way for you to obfuscate the key stored in your Manifest as the stored (static) value will be directly used by the Google Maps API itself. To secure your key, consider adding restrictions in your GCP console so that only authorized clients can use your key.
See this link for more details: https://developers.google.com/maps/documentation/android-sdk/get-api-key#restrict_key
Here's more information about the best practices to securing your API keys: https://developers.google.com/maps/api-key-best-practices#api_key_table
Answered By - Christilyn Arjona
Answer Checked By - Senaida (JavaFixing Volunteer)
