Restricting usage for an Android key for a Google API
Hitting the API directly from your code rather than going through a Google-provided intermediate SDK means that there's no mechanism available to securely get your app's certificate fingerprint and pass that fingerprint along to the API. On the other hand, when you're using one of the provided Android SDKs instead of hitting the API directly—for example, when you send requests using the Android Google Maps SDK—the SDK can handle getting your app's certificate fingerprint so that the app restriction will work as intended.
The Google Developers Console is misleading in this respect because, for some of its APIs, it allows developers to set up key restrictions based on the Android app certificate fingerprint, but then doesn't make available an SDK for Android that's able to check that fingerprint at runtime. What developers are left with, then, is the worse, more insecure option of sending the X-Android-Cert and X-Android-Package headers alongside their requests as described in the other answer here.
So for the APIs for which no accompanying Android SDK to handle the checking of app certificate fingerprint has been published, it turns out that there's no hidden easy way to get something like, say, Google Play Services to handle getting your app's certificate fingerprint in order to properly use the app key restriction—there's just not a way to do it.
Google Geocode API KEY Restriction for Mobile Applications
You are most likely using a web service with your API key that is restricted for Android/iOS Apps.
Due to the Mobile App restrictions, it can only be used for the Maps Android/iOS SDKs, and not any web service or JavaScript API.
What I recommend doing is identifying which web service is giving this error (probably Geocoding API, please double-check), and creating a separate API key with IP-address restrictions (not Android/iOS App), so that it can be used for the web service.
How to restrict Firebase API keys in the Google Cloud console
I found out how Firebase updates its keys:
When you first obtain your app's Firebase config file/object, Firebase
checks if there are any existing API keys in your project that have
"Application Restrictions" that match the app (for example, a matching
bundle ID for the Apple app).If Firebase doesn't find any restricted keys that match, then it will
list in the config file/object the iOS key for Apple apps, the Android
key for Android apps, and the Browser key for web apps (assuming that
these keys exist and have no "Application Restrictions" that keep them
from matching to that app).
So I had to configure the Android package-id and the fingerprint of the App in the Google Console right, so it gets synchronized when I create a new Firebase project.
See: https://firebase.google.com/docs/projects/api-keys#faq-auto-matching-app-to-key
How to create restricted Api Key to use directions api?
Since your application is using a web service (Directions API), I believe you'll have to do the following to secure your API key:
- Apply an API restriction on the API key. This action narrows the scope of the API key to the APIs you associate with the key.
- Obfuscate or encrypt the API key.
This action complicates key scraping attempts directly from the application. - Use CA pinning or certificate pinning to verify the server resources are valid. CA pinning checks that a server's certificate was issued by a trusted certificate authority, and prevents Man-In-The-Middle attacks that could lead to a third party discovering your API key. Certificate pinning goes further by extracting and checking the public key included in the server certificate. Pinning is useful for mobile clients communicating directly with Google servers, as well as mobile clients communicating with the developer's own proxy server.
- Use a proxy server. The proxy server provides a solid source for interacting with the appropriate Google Maps Platform API.
More can be found in our public documentation On mobile apps that use Maps Web Service APIs of this Protecting API Keys
Related Topics
Arrayadapter in Android to Create Simple Listview
System Is Returning Error 127 When Called from C++ in Linux
Uploading Images to Server Android
Android: Speech Recognition Without Using Google Server
Why Do I Get "Unresolved Reference" Error for My View's Name/Id When I Type It in Kotlin
Eclipse Error "Adb Server Didn't Ack, Failed to Start Daemon"
Listview Getchildat Returning Null for Visible Children
What's "Tools:Context" in Android Layout Files
How to Interface with the Badgeprovider on Samsung Phones to Add a Count to the App Icon
How to Save a Bitmap on Internal Storage
How to Add a Badge to an Application Icon in Android
Using "Printf" for Hex Values in Android Shell
Multi Flavor App Based on Multi Flavor Library in Android Gradle
Android Background Image Size in Pixel
How to Define a Circle Shape in an Android Xml Drawable File
Transfer Data Between iOS and Android via Bluetooth
Switching Application-Wide Theme Programmatically
How to Create a Signed APK File Using Cordova Command Line Interface