1

This question is about how to secure API keys. Not sure if this is in the same category as Key management for Cryptography and should follow the same rules. See details below.

We currently have hybrid Mobile Apps. The apps are made using Angular and Ionic. Now, we have some functions where we would need to use some of Google's APIs in order to implement the functions we want. No problem there.

The issue is how to securely store the API keys that we pass to Google APIs? It would seem not a good practice to hardcode it in the UI codes. Can anyone help us here and suggest a way to securely store the API keys? We already have thought of retrieving it from the back end but it would still expose it after we retrieve it from back end and pass to Google.

Xmus Jackson Flaxon Waxon
  • 11
  • 1
  • 1
    Does this answer your question? [How to protect API Key in Android application](https://security.stackexchange.com/questions/142893/how-to-protect-api-key-in-android-application) – Steffen Ullrich Nov 16 '20 at 06:16
  • hello @SteffenUllrich. if the solution is via Proxy Server, how will the Proxy server know the request is legit? – Xmus Jackson Flaxon Waxon Nov 28 '20 at 22:24
  • This is a different question - and not a trivial one. But having the API keys outside of the client side application lets at least the server side control its use, i.e. apply rate limiting etc. As for making sure it is the correct client see for example [Verifying android application integrity from server side](https://security.stackexchange.com/questions/112312/) or [Server client verification](https://security.stackexchange.com/questions/131439/). – Steffen Ullrich Nov 28 '20 at 22:53

0 Answers0