A newly identified security issue in Google’s API system could put user data at risk across several Android apps using Gemini AI. According to a report by cybersecurity firm CloudSEK, the problem lies in how API keys behave after Gemini integration.
The report highlights that a client-side API key (AIza…), which was earlier considered safe and used mainly as an identifier, gains full credential access once the Gemini API is enabled. This creates a serious risk, as attackers can misuse the key to access sensitive data or make unauthorised API calls.
CloudSEK’s BeVigil platform scanned the top 10,000 Android apps and found 32 active Google API keys hardcoded across 22 apps, with over 500 million installs combined. Affected apps include Oyo, Google Pay for Business, Taobao, apna Job Search App, ELSA Speak, HD Sticker & Pack WAStickersApps, The Hindu, and ISS Live Now.
As per the findings, developers typically include this API key while integrating services like Maps or Firebase, following Google’s documentation. However, once the Generative Language API is activated, the same key silently gains access to Gemini endpoints without any alert. If someone decompiles the app, they can extract this key and use it as a valid Gemini credential.
For users, this means that any data shared with Gemini — including documents, images, audio, and cached AI interactions — could be accessed, copied, or misused by unauthorised actors.
Developers also face financial and regulatory risks. Since Gemini API usage is paid, unauthorised access can lead to high costs. Additionally, any data breach may result in compliance issues.
CloudSEK has advised developers to review all API keys in their Google Cloud projects, rotate exposed keys, restrict access by service, and avoid hardcoding keys in app code. For users, the recommendation is to be cautious while using Gemini features in third-party apps and rely on trusted or official platforms.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
