As you already found, any API key will work here until it is protected, but the Android API protected key will not work for the Google Maps Directions APIs.
Simply put, you need to use the server API key for the Directions APIs (or any of the webservice APIs).
From the documentation ::
The Google Maps Directions API will only work with the server key.
The reason for this is that these webservice APIs were originally intended to be used on websites, not Android apps.
In addition, the only way to protect the server key is the IP address, so there is no way to do this on the client side.
The official recommendation of Google is to use a proxy server to which the application executes requests and makes an API Directions request from a proxy server.
See here (This applies to the Places web services API, but it is valid for any of the webservice APIs): https://groups.google.com/forum/#!topic/google-places-api/SmujrL-pDpU p>
Google employee answer:
Alexei
Any saved client side is compromising, even with confusion, you make it a little slower for dedicated hacker access.
I would advise you to configure the application to send its places requests without an API key to the proxy server to receive the request, add the API key at the end of the request, send the request and then receive and return a response from the request to your application.
Greetings
Chris