To not expose my Google Map API key, it is best to not include the API key in the Android app repo itself. How am I suppose to use Google Map if the API key is not in the app? Storing the API key in a server is the way to go so do I make a network call on app init and request for the API key? After getting the response from server, store the API key in the shared preferences? This is the only way that I could think of but if it is being stored in shared preferences, I believe that the API key can be obtained by reading the values in shared preferences through reverse engineering. Can anyone tell me what is the secure way to use the API key, thank you.
Secure usage of Google Maps Platform API key in Android apps is described in Google Maps Platform documentation:
https://developers.google.com/maps/documentation/android-sdk/get-api-key#restrict_key
The trick is applying Android app restriction that consist of the package name of your app and SHA-1 fingerprint of your certificate. This restriction is set in your Google Cloud console and is not exposed anywhere in your source code.
If somebody tries to use your API key in unauthorized way they will get an error, because they need your private certificate to make the API key work.
So, there is no problem adding an API key in the source code in case you set an Android restriction properly.
Also, I would suggest having a look at the API key best practices article:
https://developers.google.com/maps/api-key-best-practices
I hope my answer clarifies your doubt.