Skip to content

Google SafetyNet API Key

Service Name: Google SafetyNet

Service Description: Google SafetyNet is a service that helps app developers assess the security and compatibility of the Android environments in which their apps run. It provides a set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users.

Service Address: https://developer.android.com/training/safetynet

Validation Type: API Auth

IP Allow list: Does not exist at the secret level, but can be restricted through Google Cloud Console API restrictions.

Secret Access Scope: Grants access to Google SafetyNet APIs, including attestation, safe browsing, and reCAPTCHA verification services.

Secret Revokement URL: https://console.cloud.google.com/apis/credentials

Secret Example: AIzaSyD_8t7vegeHYKZgldwGwfQjU_mZZjgwdfQ

Suspicious Activity Investigation Instructions:

  • Review Google Cloud Console API usage metrics for unusual spikes in SafetyNet API calls.
  • Check for API calls from unexpected geographic locations or devices.
  • Monitor for unauthorized attestation verification requests.
  • Review billing information for unexpected charges related to SafetyNet API usage.
  • Check application logs for integration with unexpected or unauthorized apps.

Mitigation Instructions:

  • Log in to the Google Cloud Console at https://console.cloud.google.com/.
  • Navigate to "APIs & Services" > "Credentials".
  • Locate the compromised API key in the list.
  • Click the trash icon to delete the key, or click on the key to restrict its usage.
  • Create a new API key with appropriate restrictions (Android apps, IP addresses, etc.).
  • Update your applications with the new API key.
  • Consider implementing API key rotation policies for regular security maintenance.
  • Apply appropriate API restrictions to limit usage to specific Android applications, IP addresses, or websites.