Apparently, Google offers a system that allows API consumers to use their APIs only in Android applications for security.
To use this system, you only need to give the Android package name and the SHA-1 key of your application's Keystore file.
Can this security measure be circumvented? What kind of communication is going on between Android app and Google server in the background?
Google extract signing signature (SHA-1 key) and package name in runtime from app, then put both to headers in their HTTP request. Signing signature can be extracted from .apk file, therefore we can say that Google API restriction is not so secure for Android.