2

I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.

Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.

Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?

Ricconnect
  • 1,089
  • 5
  • 25
  • do you use the javascript SDK or a plugin? the javascript SDK v3 doesn't require API key – jcesarmobile Feb 02 '15 at 12:08
  • Where did you get this information? [Here](https://developers.google.com/maps/documentation/javascript/tutorial#api_key) they talk about that for every google maps api request an API key is required – Ricconnect Feb 02 '15 at 12:34
  • I've been using v3 since 2010 without API key. I've just read they added the possibility to use the API key in 2012 because they added ussage limits http://stackoverflow.com/questions/2769148/whats-the-api-key-for-in-google-maps-api-v3 – jcesarmobile Feb 02 '15 at 13:37
  • You could create a simple plugin that get the API key from the native side and then load the .js async, but it isn't hard for "hackers" to get the API key from native code too – jcesarmobile Feb 02 '15 at 13:39

2 Answers2

2

I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.

(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY

A rule for mod_rewrite (not tested) could look like this:

RewriteCond %{QUERY_STRING}  ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY

I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.

(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.

Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.

Matthias Steinbauer
  • 1,786
  • 11
  • 24
  • The first option is not usable I think, because the proxy URL has to be hard-coded in my source files and that way it can be read by an attacker. But I think that you are right. The only way to make sure the API key is not directly read from my source files, is to retrieve the API key from my own API only when the user is authenticated. – Ricconnect Feb 10 '15 at 07:55
0

No credit to comment on accepted answer but personally, I'd go for the 2nd option suggested by Matthias Steinbauer. However, his concern about an attacker debugging your Production app doesn't apply to apps built with a Distribution Provisioning profile (such as required when submitting to the App Store) - only apps signed with a Developer Provisioning profile. The same goes for Google Apps too. IF it were possible to just debug a prod app, then say goodbye to security.

Having said that, an App's static content can be viewed by others (since app is just a zip file) - so don't hard-code any keys or security info.

Personally, I'd also obfuscate the source when building prod version.

Hope it helps

Lactose.Int.Robot
  • 71
  • 8