Good day everyone. I am a beginner in using Cordova and Firebase. I have made a crud android app that uses Firebase and is coded using vanilla JavaScript. So far I learned cordova wraps HTML/JavaScript webapp into a native container like android app. From what I understand my web app runs on a local host server via the cordova native wrapper.(Sorry if I am wrong)
So basically all my source code (html/js/firebase config) is packaged in the apk file which can be easily unpacked by various tools. What concerns me is my firebase API key, that if someone with malicious intent got the key then they could spam my database or create a lot of users.
I know that I can restrict access on database etc. via firebase rules but what I want to know how to restrict my api key access to my app only. I have watched YouTube tutorials on how to do this but I am really confused on how to do this on a webapp running as a cordova android app. I see in google console that I can restrict the API key access on the following options below as seen in the image below.
I don't know if my app should fall through the android app option since all my API key requests are done through the web app locally with JavaScript. What do I choose on these options, sorry if this is too long. I'm just lost and not sure what to apply on my specific situation also this is my first time posting on the website so any help would be greatly appreciated.
