How to Securely Use Google API Keys

How do I securely use Google API Keys

For the Google Maps Javascript API v3 the keys must be public on you page.
The applicable text is:

Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them

Go to the Google API Console and generate a key, restricting it to URLs that you own (or want to put maps on) to prevent quota "theft".

How to secure google API keys

I believe you need to go through the Docs for Google API keys again. There seem to have something called restrictions that should be able to help with you ensuring that your Keys are protected and not used on some other application.

I believe that restrictions prevent a request from other domains you have not included from not being able to render.

API Key best practices

How to securely use Google Map API key on Android?

Secure usage of Google Maps Platform API key in Android apps is described in Google Maps Platform documentation:

https://developers.google.com/maps/documentation/android-sdk/get-api-key#restrict_key

The trick is applying Android app restriction that consist of the package name of your app and SHA-1 fingerprint of your certificate. This restriction is set in your Google Cloud console and is not exposed anywhere in your source code.

If somebody tries to use your API key in unauthorized way they will get an error, because they need your private certificate to make the API key work.

So, there is no problem adding an API key in the source code in case you set an Android restriction properly.

Also, I would suggest having a look at the API key best practices article:

https://developers.google.com/maps/api-key-best-practices

I hope my answer clarifies your doubt.

What steps should I take to protect my Google Maps API Key?

Considering that key has to be included in the <script> tags of your HTML pages, to load the JS files/data from google's servers, there is nothing you can do :

you must put it in your HTML files
every one can take a look at those.

Still, it doesn't really matter : if anyone tries to use this key on another domain than yours, they will get a Javascript alert -- which is not nice for ther users.

So :

There is nothing you can do ; this is the way it works
And there is not much you should worry about, I'd say.

How do you secure project-wide API keys in a mobile app

TL/DR: You don't.

Long answer:

Any key that is distributed with the app can be read by the app for it to use it. The app therefore has what it needs to read the key, even if it is encrypted or obfuscated. An attacker can use the same technique that the app would use, to obtain the key.

Equally, fetching the key form an external source does not protect it. Again an attacker can use the same channel to obtain a copy of the key.

Besides attacking the channel by which the app obtains the key (from an encrypted store inside the package, or from an external source), an attacker can also obtain it from the app's memory or by intercepting network transmissions.

The only secure solution is to never have a copy of the key on the end user device.

The key should be kept on a well secured server which will act as a middle-man between the user's device and the end service. Any requests by the client device to the end service needs to be routed via this server.

The server, having the "global project keys", should make the requests to the end service on the behalf of the end user, and return the result (and never any keys) to the client. For the client to use this server, a per-user authenticated session must be used. The server must validate this session for every request prior to forwarding the request on to the end service.

Summary:

Use a secure server between the client and the end service to make requests on behalf of clients using the global key.

EDIT:
Side note: There is a distinction that needs to be made between per-user keys and keys that are project-wide. It is acceptable to keep keys that are specific to one individual person on that user's device.