Techno Blogging
CloudSEK has identified a significant security vulnerability affecting 22 widely used Android applications, collectively installed on over 500 million devices, due to exposed Google API keys that can grant unauthorized access to Gemini AI services.
The issue stems from hardcoded API keys embedded within app code—an approach long considered safe under earlier development practices. However, with the rollout of Google’s Gemini platform, these keys now automatically inherit access to AI endpoints when enabled within a project, creating unintended exposure.
According to CloudSEK’s findings, attackers can extract these keys by decompiling apps and use them to access sensitive user data, including files such as documents, images, and audio stored via Gemini APIs. They can also misuse the keys to generate large volumes of AI requests, potentially resulting in substantial financial losses for developers.
Among the affected applications are popular platforms across sectors such as travel, fintech, and education, including OYO, Taobao, and Reliance Jio’s JioSphere browser, highlighting the widespread nature of the issue.
In one confirmed case, researchers accessed live user data through a key embedded in a language learning app, retrieving audio files uploaded for AI-based pronunciation analysis. The findings indicate that exposed keys can also allow attackers to read cached AI interactions and disrupt services by exhausting usage quotas.
The report highlights multiple real-world incidents of financial damage caused by compromised keys, including cases where organizations incurred tens of thousands of dollars in unauthorized charges within hours.
Tuhin Bose said the vulnerability is not due to developer negligence but rather a structural issue, where previously safe identifiers were effectively transformed into authentication credentials without clear communication or safeguards.
The discovery underscores a broader challenge as legacy development practices collide with rapidly evolving AI infrastructure, creating new security risks at scale.
CloudSEK has urged developers to immediately audit their applications, rotate exposed API keys, and implement stricter access controls to prevent misuse, as the industry grapples with securing AI-integrated systems.
The issue stems from hardcoded API keys embedded within app code—an approach long considered safe under earlier development practices. However, with the rollout of Google’s Gemini platform, these keys now automatically inherit access to AI endpoints when enabled within a project, creating unintended exposure.
According to CloudSEK’s findings, attackers can extract these keys by decompiling apps and use them to access sensitive user data, including files such as documents, images, and audio stored via Gemini APIs. They can also misuse the keys to generate large volumes of AI requests, potentially resulting in substantial financial losses for developers.
Among the affected applications are popular platforms across sectors such as travel, fintech, and education, including OYO, Taobao, and Reliance Jio’s JioSphere browser, highlighting the widespread nature of the issue.
In one confirmed case, researchers accessed live user data through a key embedded in a language learning app, retrieving audio files uploaded for AI-based pronunciation analysis. The findings indicate that exposed keys can also allow attackers to read cached AI interactions and disrupt services by exhausting usage quotas.
The report highlights multiple real-world incidents of financial damage caused by compromised keys, including cases where organizations incurred tens of thousands of dollars in unauthorized charges within hours.
Tuhin Bose said the vulnerability is not due to developer negligence but rather a structural issue, where previously safe identifiers were effectively transformed into authentication credentials without clear communication or safeguards.
The discovery underscores a broader challenge as legacy development practices collide with rapidly evolving AI infrastructure, creating new security risks at scale.
CloudSEK has urged developers to immediately audit their applications, rotate exposed API keys, and implement stricter access controls to prevent misuse, as the industry grapples with securing AI-integrated systems.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
