7

I am attempting to limit the usage of my Android API key (for Google Maps Direction API) to Android Apps that are signed with my SHA-1 fingerprints. The key will work perfectly fine when I do not "Add package name and fingerprint" under the Credentials on the Google Developers Console. But when I Add them this error comes up:

W/System.err: com.google.maps.errors.RequestDeniedException: This IP, site or mobile application is not authorized to use this API key. Request received from IP address XX.XX.XXX.XXX, with empty referrer

The majority of the answers that are given to solve this error are for the Places API and solve it by switching to a Server API key. I need to use an Android key and want to limit the users of that key.

Points I noticed:

  1. Google does recognize I am using a valid API key.
  2. Google does recognize the correct SHA-1 signature, Google will show an error with the signature if I use an invalid API key.

Any help would be much appreciated!

ppreetikaa
  • 1,149
  • 2
  • 15
  • 22
BrianMiz
  • 1,101
  • 1
  • 10
  • 15
  • Possible duplicate of [This IP, site or mobile application is not authorized to use this API key](https://stackoverflow.com/q/21933247/608639) – jww Nov 11 '18 at 02:08

1 Answers1

15

As you have found, any API key will work here as long as it's not secured, but a secured Android API key will not work for the Google Maps Directions API.

Quite simply, you need to use a Server API key for the Directions API (or any of the webservice APIs).

From the documentation::

The Google Maps Directions API will only work with a Server key.

The reason for this is that these webservice APIs were originally intended to be used on websites, not in Android apps.

Furthermore, the only way to secure a Server key is with an IP address, so there is no way to do it client-side.

The official recommendation from Google is to use a proxy server that the app makes requests to, and make the Directions API request from the proxy server.

See here (This is specific to the Places webservice API, but it's valid for any of the webservice APIs): https://groups.google.com/forum/#!topic/google-places-api/SmujrL-pDpU

Response from Google employee:

Alexey,

Anything stored client side is compromisable, even with obfuscating, you are only making it somewhat slower for a dedicated hacker to access.

I would suggest you set up your application to send your Places requests without the API Key to a proxy server to receive the request, append the API Key to the end of the request, send the request, and then receive and return the response from the request to your application.

Cheers,

Chris

Daniel Nugent
  • 43,104
  • 15
  • 109
  • 137
  • 2
    Thank you for your answer. Though I still find it hard to believe that Google will not let you use a more secure API key over a key that has no security. – BrianMiz Dec 30 '15 at 16:42