I have Ionic PWA app published for Android and iOS (I used Capacitor to generate the native build). In the frontend code, it has my Google Maps API key, however, I can't restrict it to any of the options google offers because... HTTP referrers - It's not on a public domain name, it's on a local host within the webview of the native app. http://localhost/ for Android and capacitor://localhost/ for iOS. It does not seem very secure to use these as restrictions as they are very generic, and all other apps will have the same ones. IP addresses - For obvious reasons. Android Apps - It's not within the native code, it's within a webview. iOS Apps - It's not within the native code, it's within a webview. None of these options can work for my situation. So how can I protect my API key from abuse? Any ideas? I can't be the only the one using Google Maps API within an Ionic app.

Reputation: 3680

How to protect Google Maps API key on Ionic app?

I have Ionic PWA app published for Android and iOS (I used Capacitor to generate the native build). In the frontend code, it has my Google Maps API key, however, I can't restrict it to any of the options google offers because...

HTTP referrers - It's not on a public domain name, it's on a local host within the webview of the native app. http://localhost/ for Android and capacitor://localhost/ for iOS. It does not seem very secure to use these as restrictions as they are very generic, and all other apps will have the same ones.
IP addresses - For obvious reasons.
Android Apps - It's not within the native code, it's within a webview.
iOS Apps - It's not within the native code, it's within a webview.

None of these options can work for my situation. So how can I protect my API key from abuse?

Any ideas? I can't be the only the one using Google Maps API within an Ionic app.

Upvotes: 17

Answers (3)

Paranoid Android

Reputation: 5047

Old question but still...

If you do not want to store the api_key in your app, request it at run time from your own server over a POST https request before running any Google Maps requests.

Upvotes: 0

PC Principal

Reputation: 393

You can configure the hostname of capacitor apps

"server": {
    // You can configure the local hostname, but it's recommended to keep localhost
    // as it allows to run web APIs that require a secure context such as
    // navigator.geolocation and MediaDevices.getUserMedia.
    "hostname": "unique-app",
  }

and then restrict the the API keys to capacitor://unique-app

https://capacitor.ionicframework.com/docs/basics/configuring-your-app

Upvotes: 11

xomena

Reputation: 32198

In order to protect your API key you have to check the value of the window.location.href within a webview. I guess you will see something like file://some/path.

So you will need apply HTTP referrer restriction for this path. Note that URLs with a file:// protocol require special representation as explained in

https://developers.google.com/maps/documentation/javascript/get-api-key#restrict_key

Note: file:// referers need a special representation to be added to the key restriction. The "file://" part should be replaced with "__file_url__" before being added to the key restriction. For example, "file:///path/to/" should be formatted as "__file_url__//path/to/*". After enabling file:// referers, it is recommended you regularly check your usage, to make sure it matches your expectations.

I hope this helps.

Upvotes: 2

How to protect Google Maps API key on Ionic app?

Answers (3)

Related Questions