My app requires some keys. One for the google maps api and one for my own API. Where is a safe place to put those? I was thinking about putting them in a xml or in the manifest, but this question says one is able to read an others resources.
Putting keys in a java file does not seem safe to me because they can be decompiled.
Where is a safe place to put my keys?
You can hash them with some algorithm. And after obfuscate the code, it will be difficult to reverse engineering.
Maybe you should use NDK to hide your keys. For example you just put your keys to native code and then build *.so library. In this way you could get your keys throught JNI. But of course this is not a "silver bullet" and lurcher can decompile library(with troubles for sure) or link it to his project and then try to get keys. + obfuscate your code.
