0

i'm creating an app that's draw routes between users using only firestore to update users location.

the problem is to use direction api i need Restricted key using (server IP addresses) what should i do ? i don't have server i'm using only firestore

Ibrahim Atef Elmasry
  • 119
  • 7
  • What do you actually want to restrict? – Alex Mamo Jun 24 '19 at 06:55
  • if you are going to put your app in production you need "Application restrictions" (none - http referrers , Ip addresses , android apps - ios apps) so after searching i found out that to use directions api u need Ip addresses restriction i don't know how to do it or what i need to do it – Ibrahim Atef Elmasry Jun 24 '19 at 10:31
  • 1
    I'm voting to close this question as off-topic because it is about the use of a third party service and not about programming, – MrUpsidown Jun 26 '19 at 11:11
  • Do you send Directions API request directly from the app? – xomena Jun 26 '19 at 18:53
  • @xomena yes and it's works as long as my key restriction is none , once i change it to android i get error asking me to use ip server restrictions – Ibrahim Atef Elmasry Jun 30 '19 at 15:25
  • 1
    It's correct. Web services like Directions API, Geocoding API, Distance Matrix API are supposed to be called from server, not from mobile app directly. So you will need put an intermediate server in order to call directions with protected API key. – xomena Jul 01 '19 at 17:10
  • how can i do that ? i don't have experience with servers , so how can i get started and what should i search for ? @xomena – Ibrahim Atef Elmasry Jul 01 '19 at 23:10

2 Answers2

1

Since your application is using a web service (Directions API), I believe you'll have to do the following to secure your API key:

  • Apply an API restriction on the API key. This action narrows the scope of the API key to the APIs you associate with the key.
  • Obfuscate or encrypt the API key. This action complicates key scraping attempts directly from the application.
  • Use CA pinning or certificate pinning to verify the server resources are valid. CA pinning checks that a server's certificate was issued by a trusted certificate authority, and prevents Man-In-The-Middle attacks that could lead to a third party discovering your API key. Certificate pinning goes further by extracting and checking the public key included in the server certificate. Pinning is useful for mobile clients communicating directly with Google servers, as well as mobile clients communicating with the developer's own proxy server.
  • Use a proxy server. The proxy server provides a solid source for interacting with the appropriate Google Maps Platform API.

More can be found in our public documentation On mobile apps that use Maps Web Service APIs of this Protecting API Keys

rafon
  • 1,469
  • 11
  • 21
0

For Android application, you may restrict your Google Maps API key with "Android apps" .

Based on the docs:

To restrict an API key:

  1. Go to the Google Cloud Platform Console.
  2. From the Project drop-down menu, select the project that contains the API key you want to secure.
  3. From the Navigation menu, select APIs & Services > Credentials.
  4. On the Credentials page, click the name of the API key that you want to secure.
  5. On the Restrict and rename API key page, set the restrictions: Application restrictions:
    • Select Android apps and follow the instructions.
    • Click + Add package name and fingerprint.
    • Enter your package name and SHA-1 certificate fingerprint. For example: com.example.android.mapexample BB:0D:AC:74:D3:21:E1:43:67:71:9B:62:91:AF:A1:66:6E:44:5D:75
Jean Gladys Raymundo
  • 569
  • 3
  • 14
  • 1st : ty for answering 2nd : to use directions api you need "IP addresses (web servers, cron jobs, etc.)." restriction check this link (take a look at 'Restrict the API key' 5th step ) https://developers.google.com/maps/documentation/directions/get-api-key – Ibrahim Atef Elmasry Jun 26 '19 at 11:08
  • Can you confirm if you will use this for your android application? (as it was added on your tags). – Jean Gladys Raymundo Jun 26 '19 at 22:59
  • 1
    yes but once i change my key restrictions to android i get error asking me to use ip server restrictions – Ibrahim Atef Elmasry Jun 30 '19 at 15:29