How to secure my Google Maps Javascript V3 API Key within an Ionic/Cordova App?

Question

I am currently developing an Ionic app where I have an embedded Google Map. The Google Maps V3 API recommends using an API key for tracking usage. The thing is when I create an API Key for browser usage I can only secure my API key by specifying referrers. Now I don't have a referrer on mobile devices so what can I do to avoid that other people can also use my API key?

Answer 1

The way I see it you have two options:

1. You can not secure it at all, since in order for someone to get the key they will need to extract it from your application. In most cases even if someone were to obtain the key, it is doubtful they would use it for anything malicious since they could just get their own key. This is a risk you have to assess on a project by project basis and decide if it is something you can tolerate.
2. The second option is to secure it down to a specific referrer and then spoof the referrer being used by your web views on the device. There are a few examples on stack overflow on how to do this. See Specifying HTTP referer in embedded UIWebView

Either way, it is still possible for someone to get your key and use it to make requests on your behalf. They could do it by spoofing the referrer themselves even if you go that route since it is a header provided by the client browser.