Description:
I received an security alert notification from Google Play:
`Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
Vulnerable locations:
com.onesignal.PushRegistratorFCM->getApiKey`
Environment
How I can fix this issue? Thanks,
Add restrictions to your API key so that only your apps are allowed to use the API key. More details on adding restrictions to API keys can be found here.
Add restrictions to your API key so that only your apps are allowed to use the API key. More details on adding restrictions to API keys can be found here.
Thanks
We already did the restriction on API keys, but the Security alert still on Google Play console.
Does it effect to our app?
Hello everyone.
We have the same Security alert after update to the OneSignal 3.12.7.
Same issue here.
I believe the actual issue here is with the FCM_DEFAULT_API_KEY.
I think this key should not be public. https://github.com/OneSignal/OneSignal-Android-SDK/blob/a3b21d30afe05bb7b14ca35234a6870eaf8205df/OneSignalSDK/onesignal/src/main/java/com/onesignal/PushRegistratorFCM.java#L49
Solution could be one of below:
Expected that OneSignal team will work on this issue asap. below is exact screenshot that I received from my play consol account.

Above screenshot redirects me to this link and same solution links I have mentioned above.
here is my build.gradle configuration for your respective troubleshooting.
buildscript {
repositories {
maven { url 'https://plugins.gradle.org/m2/'}
}
dependencies {
classpath 'gradle.plugin.com.onesignal:onesignal-gradle-plugin:0.12.6'
}
}
apply plugin: 'com.onesignal.androidsdk.onesignal-gradle-plugin'
apply plugin: 'com.android.application'
android {
compileSdkVersion 29
defaultConfig {
minSdkVersion 16
targetSdkVersion 29
versionCode 2
versionName "1.0.1"
}
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
}
defaultConfig {
manifestPlaceholders = [
onesignal_app_id: 'I_CAN_NOT_SHOW_THIS_HERE',
onesignal_google_project_number: 'REMOTE'
]
}
}
dependencies {
implementation 'com.onesignal:OneSignal:3.12.7'
}
If needed any more information, please let us know. we can provide it straight away. Also, its humble request to other developers to share the best solution, just in case if there is any (before onesignal team makes any changes into it).
Thanks in advance :)
@rgomezp Are you reviewing on this issue? As you can check in my shared screenshot that Google Play Consol team clearly mentioning that issue is here.
Please help us at earliest before playstore takes any strict action on our app(s).
Thanks for reporting. This is a false positive so you can safely ignore. We are looking into making a change to prevent Google from throwing this as a warning.
Okay, please let us know when this change will be made available, and steps to take to remove the warning from Google. @jkasten2
Same error here (https://support.google.com/faqs/answer/9287711):

We also got the same warning
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.
Vulnerable locations:
com.onesignal.PushRegistratorFCM->getApiKey
Affects APK version 17.
Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Center article for details.
Vulnerable locations:
com.onesignal.PushRegistratorFCM->getApiKey
Affects APK version 1.
Thanks for reporting. This is a false positive so you can safely ignore. We are looking into making a change to prevent Google from throwing this as a warning.
I know its warning. but I have used one signal on my many client applications. but last few days many clients prompt me for a solution. now things go worst. we are waiting for a better solution but now time to move with firebase notification. so in future, we never face again this kind of security issue.
Will downgrading to a lower version work?
Having this issue after I upgraded to 3.12.7
We are shooting for an SDK update later this week with a fix for this false positive security warning as well as a few other SDK improvements.
@DaxeshV To work around the issue for today if you need to remove this warning for your clients I recommend using using OneSignal 3.12.6 for the time being. OneSignal 3.12.7 is only required if you use com.google.firebase:firebase-messaging:20.1.0 or newer. By default OneSignal depends on com.google.firebase:firebase-messaging:[10.2.1, 17.3.99] so in most cases this should be fine.
Well. I have same with this issues.
We the same issue. Patiently waiting for a fix 馃檹
Security alert
Your app contains exposed Google Cloud Platform (GCP) API keys. Please see this Google Help Centre article for details.
Vulnerable locations:
com.onesignal.PushRegistratorFCM->getApiKey
i have same also !!?
Do you have an ETA for the update?
Any update on this? We the same issue. Some security check apps, such as Galaxy's Device Care app, say our app is 'MALWARE' because of this and not a few of our users have uninstalled the app, writing bad reviews on the Google play store. More and more newbies sees those reviews, the rating of the app has fallen and the number of new users has decreasing. It's CRITICAL.
This false positive has now been fixed in the 3.13.0 Release. Thanks for everyone's patience.
This false positive has now been fixed in the 3.13.0 Release. Thanks for everyone's patience.
Hi, I see this update in 'OneSignal-Android-SDK' but I only see version 2.8.4 in 'OneSignal-Cordova-SDK'. Is there a possibility of the Cordova plugin getting this update as well? Thanks.
and for react native sdk too pls
Hello guys,
Flutter SDK got same problem. Can you please update for Flutter soon?
Thank you!
and for react native sdk too pls
Hello guys,
Flutter SDK got same problem. Can you please update for Flutter soon?
Thank you!
This issue was closed. Why you don't create a new issue on correct your repository library of flutter or react?
It will help you look for the help faster than requesting help on wrong repository git.
Hello, how about xamarin package? I dont see any update for xamarin. I believe that this is not only a warning. for some reason, our app downloads went down and uninstall rate increased after this issue appeared. I dont know if this is a coincidence. anyone else seen similar stats, guys?
Hi. I have the same error message on google console. I am working with Xamarin Forms and the version of OneSignal that I have installed in the application is 3.7.3. in the Nuguet packages it appears as the last released version.
What can you tell me about this?
Thank you very much!!
This false positive has now been fixed in the 3.13.0 Release. Thanks for everyone's patience.
Hi, I see this update in 'OneSignal-Android-SDK' but I only see version 2.8.4 in 'OneSignal-Cordova-SDK'. Is there a possibility of the Cordova plugin getting this update as well? Thanks.
Please view : https://github.com/OneSignal/OneSignal-Cordova-SDK/issues/619
According to them they will release an update this week.
Most helpful comment
This false positive has now been fixed in the 3.13.0 Release. Thanks for everyone's patience.