How to protect API keys and secrets in mobile apps
You can encrypt or break up the strings in your source code and only join them at runtime to make it harder for an attacker to extract your keys. Alternatively, you can use tools such as ProGuard or DexGuard to obfuscate your code.
However, these approaches only make it harder, not impossible and a determined attacker will always be able to extract strings from symbol table.
This is true of almost all web services such as AWS, Firebase, Facebook etc
Therefore, we recommend using user authentication to ensure that even if someone has the API key and can communicate with an API, they must then authenticate before they can do anything with it.