Steps to reproduce:
- Download the apk
- Decompile the app
- Go to res-values-strings.xml
Information disclosed (obfuscated):
Impact: Google API key can be used by the attacker
Note: The app version was not clear from the report, so I have assumed it was a fresh download and marked this as affecting the latest version.
(Prepared by @michaelh based on report to the security inbox by Tarun Tandon, SF case 00073723)