You can always use a private API if you have access to your application code (see this thread ). However, you can make it harder. And you can limit the use of the API with the following parameters.
1) if itβs not βyourβ API, do not put the key in the application, but on the server you are working on to serve as a proxy server for an external service (you probably still need another key for your application server then)
2) encrypt / cross the key so that it is not easily captured:
- simple example for scrambling: put the key in a file; generate a random file of the same length; xor key file with a random file (and write it to disk again); whenever you need a key, read both files and xor them again (any reversible operation will do instead of xor - a more complicated operation distributed by your code will complicate the work of the reverse engineer)
- encrypt your key using the passphrase distributed throughout your application (when you deploy an Android application, it gets confused anyway, so the search becomes a little more complicated).
3) if this is your service or you have a proxy server installed, limit the number of applications per client / IP or offer only parts of the service through a proxy server
Note. Option 1 may even be required if you have a contract that prohibits the publication of your key.