Hardcoded API Keys in 22 Android Apps Expose Google Gemini AI Access: CloudSEK
The findings, published through CloudSEK’s BeVigil security search engine, highlight a structural flaw arising from legacy developer practices combined with the rapid expansion of Google’s AI infrastructure.
Over 500 million installs affected; flaw enables unauthorized access, data exposure and massive billing abuse
Bengaluru: Cybersecurity firm CloudSEK has uncovered a major vulnerability in 22 widely used Android applications, collectively installed on more than 500 million devices, where hardcoded Google API keys are exposing access to the Gemini artificial intelligence platform.
The findings, published through CloudSEK’s BeVigil security search engine, highlight a structural flaw arising from legacy developer practices combined with the rapid expansion of Google’s AI infrastructure.
For years, developers were advised that API keys in the “AIza” format could be safely embedded in public applications. However, with the integration of Gemini APIs, these keys now automatically grant access to AI endpoints when enabled within a Google Cloud project—without any explicit notification or opt-in.
CloudSEK identified 32 active keys across the 22 apps after scanning the top 10,000 Android applications by install count. The affected apps span sectors such as e-commerce, finance, travel, education and productivity, including platforms with tens of millions of users.
In a confirmed case of data exposure, researchers used a key embedded in the ELSA Speak app to access Google’s Gemini Files API, retrieving a live listing of user-uploaded audio files, likely related to speech training data.
The report warns that attackers extracting such keys from app code can potentially access private user files, generate large-scale API requests leading to financial losses, exhaust usage quotas, and retrieve sensitive AI interaction data.
CloudSEK cited multiple real-world incidents of abuse, including cases where organisations faced losses ranging from $15,400 overnight to over $128,000 due to unauthorized API usage.
According to Tuhin Bose, cybersecurity researcher at CloudSEK, the issue stems not from developer negligence but from a design-level shift where publicly exposed identifiers effectively became authentication credentials without adequate communication.
The firm said the findings point to a widespread and systemic security risk, urging organisations to review and secure their API key management practices as AI integration deepens across platforms.
