I’ve built a number of apps with android and quite recently a browser app.
The android apps I have all call my API key from Firebase.
On the 15th of this month I noticed a massive spike in usage but no real spike in downloads or usage of my apps. Looking through the daily usage breakdown I couldn’t really see anything abnormal so just regenerated my keys and left it at that.
Yesterday and today I again seen a massive spike in usage. However this time round I’ve noticed in my logs on openai daily usage that models are getting used that I don’t use within my apps/website, specifically text embeding models when none of my apps use embeding.
I guess my question is, to try and track down the possible leak of my API key will I need to create seperate accounts for each app to track there usage indivdually?
Does anyone know if OpenAI can provide me with logs about the usage I’m 100% sure is not geniune and from leaked keys?
I’m guessing you’re using Firebase functions to handle the requests? Do they trigger or is it explicitly called by the user? How are you handling errors? Does it return data or does it update another service like a database?
It’s hard to say anything else without seeing your code.
Instead of trying to track the usage I think you need to completely delete all your API keys and re-evaluate your code.
How are your API keys managed? Are they server side env variable or managed key’s via an AWS, Azure, Google style key manager… or are they hard coded into the app?
Thanks for the replies guys.
My apps currently use Firebase remote config to call the API key to the app. They are not hard coded in to the actual app.
Hmmm. Okay there’s your issue.
You shouldn’t be using remote config for your API keys
If the app handed off the request to a cloud function which then made the OpenAI API call, you’d be golden. No way could it be intercepted by the user without them somehow having privileged access to your Firebase account or the infra it runs on.
I’m guessing you’re using remote config to send the API key to the app, which is making the call directly. It doesn’t matter if the key isn’t hardcoded into the app if it gets sent over the line to or from the app. You can easily use Wireshark or Charles to monitor what’s coming out of the phone.
Here is a (really terrible and annoying) video I did years ago to prove that iOS’s mail client did not always delete mail when told to. Why IOS doesn't delete mail from server - YouTube. The same could be done to lift your API key if it is in fact leaving the phone.
Thank you all for the advice.
I will look to change the way the apps make the calls.
@ashxbl Hello! How did u store your api keys safely at the end? Should I use firebase cloud function to communicate with OpenAI service and then transfer the response back to app. I am using react native - firebase architecture and I am figuring out that securing key in the frontend is a big NONO.
Yes, you should make your openAI requests and store your key in some backend service, Firebase Cloud Functions is a good example.
Hiya… Unfortunately it’s still on my list to do while I focus on other unrelated projects. The apps aren’t getting crazy traffic so it is easy for me to just keep an eye on and regularly rotate my keys. I’ve had no suspicious activity since my original post.
Thank you for your fast reply! I did some projects with Vercel and called api from /api directory, is that also considered to be safe way? (from my understanding it is, but it’s always good to check )