Using Google API Key with restriction in Android

Asked 30/4, 2020 at 8:21 Answered 22/10, 2020 at 16:55

android google-geocoding-api google-nearby google-maps

While creating Google Maps API key there are four restrictions we can apply:-

IP addresses (web servers, cron jobs, etc.).
HTTP Referer (Javascript)
Andoid (For SDK)
ios (For SDK)

Now everything works fine if we use the keys to their respective places.

The problem comes when we want to access some API from mobile(android/ios) using REST for eg fetching nearby places for user input. Now which restriction will work in this case and how to handle that?

I have tried all the restrictions and it won't work.

Thanks in advance.

Egomania answered 30/4, 2020 at 8:21 Comment(0)

You can restrict the key to Android app and make an http REST call within my app by passing the android package name and sha-1 within the header of your https call:

  "X-Android-Package": "your.androidpackage.id"
  "X-Android-Cert": "0000000000000000000000000000000000000000"

*be sure to remove the colons ':' in the sha.

You still need to pass and expose 'key' as a url param, but without the credentials in the header it will be blocked.

Suomi answered 22/10, 2020 at 16:55 Comment(7)

Don't send SHA1 key through your header! Completely unsafe – Ransack 16/11, 2020 at 20:22

@EdgarKhimich Then how to restrict the API? – Unorthodox 17/12, 2020 at 12:29

You can keep your keys on the server encrypted – Ransack 17/12, 2020 at 20:20

If you using HTTPS it is safe because headers will be encrypted. Actually, SHA1 key can be extracted over .apk file so there is no need for anxiety. – Swoon 21/9, 2021 at 20:30

This saved me man! Thanks for the colons removing tip – Succumb 24/11, 2021 at 16:47

Thanks for posting this. I'm facing a similar issue and will try your solution. One comment I can make is that this solution is a bit "unsafe" in a sense that you will be exposing your SHA1 key to Man-In-The-Middle attacks, you can add a self signed certificate in Android settings and then you can easily decrypt HTTPS using Wireshark. So the API Key is in the query string so its already exposed to this vector of attack, headers will also be visible, so I think exposing SHA1 this way is risky. – Hube 19/7, 2023 at 17:1

The docs seem to back this answer up: cloud.google.com/docs/authentication/api-keys#android – Pokelogan 14/11, 2023 at 22:44

You want to use Places API web service from your mobile app. Typically Google Maps APIs web services are supposed to be called from backend servers and they support only IP address restrictions.

I would suggest having a look at the following article regarding restrictions that can be set for different APIs

https://developers.google.com/maps/faq#keysystem

As you can see, Places API web service can use only IP address restriction. It doesn't make much sense sending Places API requests directly from mobile devices, because each device has its own IP address and you don't know IP addresses of users' devices. So, the only feasible workaround in order to protect an API key is creation of the intermediate backend server.

The app should send request to your intermediate server, the intermediate backend server should send Places API request to Google with protected API key restricted to IP address of your server and proxy results back to your app.

In this scenario you need two API keys. One for Google Maps Android SDK with Android app restriction and another one for Places API web service with IP address restriction.

Bromoform answered 30/4, 2020 at 19:5 Comment(2)

I understand your point but we already have code written in our mobile end. So I'm thinking if there is some workaround for this or not. But still thanks for your response. – Egomania 5/5, 2020 at 4:56

If you want send requests directly from mobiles the only option is using unprotected API key. And this API key must be different from the one you use for Android Maps SDK, because SDK requires Android app restriction and it won't work with web services. – Bromoform 5/5, 2020 at 10:2

Android/Ios restriction will work in this case put your SHA over there in the place required and then your package name in case on Android.It will work,also enable the api which you are using from the console.

Uppercase answered 30/4, 2020 at 14:54 Comment(1)

It depends on API not all of them support app level restriction. – Hube 19/7, 2023 at 17:6

Recommended topics

Hot tags