CODEWITHSUNDEEP
google-mapscordova
Ricconnect
Ricconnect

Reputation: 1079

Cordova google maps api key safe enough

I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.

Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.

Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?

Upvotes: 2

Views: 2094

Answers (2)

Lactose.Int.Robot
Lactose.Int.Robot

Reputation: 81

No credit to comment on accepted answer but personally, I'd go for the 2nd option suggested by Matthias Steinbauer. However, his concern about an attacker debugging your Production app doesn't apply to apps built with a Distribution Provisioning profile (such as required when submitting to the App Store) - only apps signed with a Developer Provisioning profile. The same goes for Google Apps too. IF it were possible to just debug a prod app, then say goodbye to security.

Having said that, an App's static content can be viewed by others (since app is just a zip file) - so don't hard-code any keys or security info.

Personally, I'd also obfuscate the source when building prod version.

Hope it helps

Upvotes: 0

Matthias Steinbauer
Matthias Steinbauer

Reputation: 1776

I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.

(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY

A rule for mod_rewrite (not tested) could look like this:

RewriteCond %{QUERY_STRING}  ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY

I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.

(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.

Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.

Upvotes: 2

Related Questions