3

We were using a GCP API key on multiple platforms (Android, iOS, Web) for Google map, Location search (api/place/autocomplete), static Google Map, etc. Now I wanted to create a new/separate Key for Android App so I can add appropriate restrictions like package name SHA1 and used APIs.

I've created a new key, Changed it into the App after that map is working fine but Location search API is kept throwing an exception- This IP, site or mobile application is not authorized to use this API key. Request received from IP address <ip>, with empty referer",

Has anyone faced this issue? Or any clue that how should I debug this?

evan
  • 5,443
  • 2
  • 11
  • 20
Ankit
  • 483
  • 7
  • 24

2 Answers2

2

You cannot make web service requests using an API key that is Android or iOS restricted. Web services are server-side and only work with API keys that are restricted by IP address.

Each of your API keys should be restricted properly based on the API in use.

For web services, use an IP-restricted API key.
For client-side services, use an HTTP referrer-restricted API key.
For Maps and Places SDK for Android or iOS, use an Android/iOS restricted API key.

To learn more on API key restrictions for Google Maps APIs please check out these resources: https://developers.google.com/maps/faq#keysystem
https://developers.google.com/maps/api-key-best-practices#restrict_apikey

Hope this clarifies your question!

evan
  • 5,443
  • 2
  • 11
  • 20
1

GCP security alert I have the same issue, I'm using Android RN application but this could help to any mobile app (Native or React native), the issues come up with you are hardcoding your API KEY (this case google places API into your source code), in order to avoid it you should remove it and add it as System/environment variable, depend of what OS you using OS MAC or Windows, or you CI/ CD if you are delivery you app through it. I solved with the steps below:

  • I have to setup my System Environment variables in my local environment in my case I'm using MacOS, Open terminal and run

    export GOOGLE_PLACES_ANDROID_API_KEY=Insert_API_KEY_here

  • (optional but this is better)or copy it in ~/.bash_profile

  • Make sure my system/environment variable is there- use in the terminal "printenv" -this will list those and there should be your api key

    GOOGLE_PLACES_ANDROID_API_KEY

  • Add android/gradle.properties the following line

# GOOGLE PLACES (we will replace this value DON'T COPY YOUR API KEY HERE)
GOOGLE_PLACES_ANDROID_API_KEY=HiHackerNoMyKey
  • Add the following lines in app/build.gradle inside defaultConfig
defaultConfig {
  buildConfigField("String", "GOOGLE_PLACES_ANDROID_API_KEY", "\"${GOOGLE_PLACES_ANDROID_API_KEY}\"")
}

in my case I'm using Appcenter as CI so I added this line if we are building in CI and my CI should have my APIKEY in my system/environment variable already setup

[buildConfigField("String", "GOOGLE_PLACES_ANDROID_API_KEY", "\"${System.env.GOOGLE_PLACES_ANDROID_API_KEY}\"")](url)

and you can call it using java

Log.i(TAG, BuildConfig.GOOGLE_PLACES_ANDROID_API_KEY);

more reference https://developer.android.com/studio/build/gradle-tips#simplify-app-development

I hope this helps!!

Jan
  • 935
  • 8
  • 20