This IP, site or mobile application is not authorized to use this API key - Android App

Question

I am attempting to limit the usage of my Android API key (for Google Maps Direction API) to Android Apps that are signed with my SHA-1 fingerprints. The key will work perfec

Answer 1

As you have found, any API key will work here as long as it's not secured, but a secured Android API key will not work for the Google Maps Directions API.

Quite simply, you need to use a Server API key for the Directions API (or any of the webservice APIs).

From the documentation::

The Google Maps Directions API will only work with a Server key.

The reason for this is that these webservice APIs were originally intended to be used on websites, not in Android apps.

Furthermore, the only way to secure a Server key is with an IP address, so there is no way to do it client-side.

The official recommendation from Google is to use a proxy server that the app makes requests to, and make the Directions API request from the proxy server.

See here (This is specific to the Places webservice API, but it's valid for any of the webservice APIs): https://groups.google.com/forum/#!topic/google-places-api/SmujrL-pDpU

Response from Google employee:

Alexey,

Anything stored client side is compromisable, even with obfuscating, you are only making it somewhat slower for a dedicated hacker to access.

I would suggest you set up your application to send your Places requests without the API Key to a proxy server to receive the request, append the API Key to the end of the request, send the request, and then receive and return the response from the request to your application.

Cheers,

Chris