I'm currently using a google API key I generated that I put inside the android app to access SafetyNet and Google Maps. I plan on shifting all the calls to the Google Maps API onto my own servers where I'm storing my Google API key on the server and not in the client. But then, I also use the SafetyNet API in my app and the google API key needs to be in the app for the android app to make the call to get the JWS response. So I'm in a conundrum. I don't want the google API key anywhere in the app which would've be fine if I didn't use SafetyNet but I need to use it.
Asked
Active
Viewed 955 times
2
Sina Darvishi
- 71
- 1
- 11
RichyDavisWindow3
- 313
- 3
- 13
-
Is API key protected (Android app restriction or IP restriction)? If so, you can safely use it in your app. – xomena Jun 15 '17 at 11:38
1 Answers
2
With the new API (Play Services 11.0.0+), the API key is not stored in the manifest anymore. You pass it as an argument to the attestation call instead, which opens a bunch of new ways to secure your key. For example:
You can obfuscate your key inside your app, and create it programmatically. This just makes it a bit more difficult for attackers to retrieve it.
You can send the key from your server to the client app each time you need to do an attestation. That way the key is never stored in the app itself.
However, having a separate key just for attestations should be more than enough. The key is only tied to your quota, which is free of charge, and can be easily increased. Because of this, there is not much of an incentive for a potential attacker to steal your key, and even if it gets stolen, it won't really affect you negatively, as the attestation API is free of charge.
Oscar
- 346
- 2
- 11
-
1I have a question. Recently I've started to use the new API, and it seems like I'm unable to get it to work if I restrict the API key to only android apps. It works if it's unrestricted. How do I get it to work when I'm restricting it to android apps? – RichyDavisWindow3 May 09 '18 at 05:20