Question

Solved1.53K views6th July 2022Dataminer Maps Google Maps security

2

Sergio Abreu [SLC] [DevOps Advocate]150 5th July 2022 0 Comments

Hi,

We are integrating DMA Maps with Google Maps and Customer security department raised the following questions:

Which information will be sent to Google?
We plan to create a layer presenting Geo coordinate (Long / Lat) and VSAT Network KPI on the site (Latency, Traffic, Signal Strength, etc.…).
Which mechanism is implemented by SKYLINE for protect the API Key in the code (script on browser)?

Sergio Abreu [SLC] [DevOps Advocate] Selected answer as best 6th July 2022

2 Answers

5

Wim Bruynooghe [SLC] [DevOps Advocate]6.59K Posted 5th July 2022 2 Comments

Our DataMiner Maps application loads in the Maps JavaScript library from Google and executes methods from this library. I can’t say what information Google sends to itself and what information they collect, we have no control over this. Google provides more details about this in the Google Cloud Platform portal (see project settings, privacy & security). You must agree to their terms (including their data processing terms) to be able to use the Google Maps JavaScript API. In case you have concerns, we have alternatives, DataMiner Maps can also be used with OpenStreetMap and OpenMapTiles (which can be hosted offline).
The browser has to know the API key to be able to pass it on to Google, so inside the browser there is no security on this. When configuring your DataMiner with https, then this API key is always transferred securely over the network and the Internet. Users have to authenticate on DataMiner first before they are able to get access to the API key. Note that an API key is always linked to a FQDN (as configured in the Google Cloud Platform portal).

Sergio Abreu [SLC] [DevOps Advocate] Selected answer as best 6th July 2022

Gellynck Jens [SLC] commented 5th July 2022

I’m wondering if the API key stored on disk in an encrypted form?

Wim Bruynooghe [SLC] [DevOps Advocate] commented 5th July 2022

No, it’s saved in plain-text in an xml file (MapsServerConfig.xml). I think this is fine because this API key should not be seen as a private key. Google Maps has build-in protection so that this API key can not be used by someone else on another website. There are numerous websites with a Google Maps integration available publicly on the Internet of which you can easily get the API key.

I’m wondering if the API key stored on disk in an encrypted form?
No, it’s saved in plain-text in an xml file (MapsServerConfig.xml). I think this is fine because this API key should not be seen as a private key. Google Maps has build-in protection so that this API key can not be used by someone else on another website. There are numerous websites with a Google Maps integration available publicly on the Internet of which you can easily get the API key.

score 1 · Answer 1 · 2022-07-27T15:21:02+00:00

1

Michiel Vanthuyne [SLC] [DevOps Enabler]4.17K Posted 5th July 2022 1 Comment

Hi Sergio, if sending data to Google is a concern for your customer, an alternative could be to use open street map which we also support. For more info, please check “Configuring maps host servers” in the help pages.

Sergio Abreu [SLC] [DevOps Advocate] Posted new comment 27th July 2022

Sergio Abreu [SLC] [DevOps Advocate] commented 27th July 2022

Thank you Michiel, that option is not yet discarded…

Google Maps API – security questions

2 Answers