Unable to save them in the application. An application can be decompiled or executed on a modified device that provides greater access to the applicationβs memory, or the application can be modified by an attacker to add additional logging of network traffic or storage / database, etc.
For server authentication, your application should probably obtain authentication tokens (or similar) by exchanging user credentials for such auth tokens or by obtaining these auth tokens from AccountManager or similar APIs. You can also use the SafetyNet Security API ( https://developer.android.com/training/safetynet/index.html ) to confirm to your servers that this application is signed with your signature key, which makes the request.
To encrypt a database, an application can generate a random encryption key on the device, either associated with user credentials, stored in Android Keystore, or simply rely on the protection offered by Android for applications. It depends on your threat model (i.e.. Why do you think you need to encrypt databases?)