Google Maps API Exposure

Hello

We use the FNC Maps component in our application and we have our own Google Maps Javascript API which we embedd to the application and we have been recently subjected to a software certification with security flaws analisis and one of the topics that came back from the certification is that our google maps API is being exposed when the application calls the google maps API.

I searched and basically there is no way to safeguard the API Key, because it has to be transferred to google correct? People say that we should restrict the API, but the only restriction I can add is to restrict the API to Google Maps API usage only... I can't restrict the usage of the API to a specific website because the map is being embedded in an application so I guess that restriction would not work, but that still doesn't prevent an attacker from grabbing out key and using the key maliciously to increase our costs.

What are your suggestions to safeguard the API key, considering the map is embedded on a desktop application?

The best practice according to Google is to restrict your API keys.

The following links explain this in detail: