I'm trying to find an updated answer to this question from 2012.
Googles API keys can be restricted for urls, ip addresses, or mobile apps.
How does their restriction work? Is it just a header that gives the bundle ID which could very easily be faked by a hacker? Or is there something clever going on that can't be faked as easily?
“S” — Security!
Right now it seems like SDK just adds X-iOS-Bundle-Identifier header with the app Bundle ID to every geocoding request :(
So even a baby-hacker could use your Google key anytime in his own apps or services.
curl --header "X-iOS-Bundle-Identifier: com.attacked.Application" "https://maps.googleapis.com/maps/api/geocode/json?latlng=37.4134391,-122.1513073&key=[STOLEN-GOOGLE-KEY]"
