This depends a lot on your specific situation. Ultimately though, it's almost impossible to ensure that hard-coded keys in your binary application won't leak – even if they're stored using encryption, obfuscation, etc. Very motivated attackers will always be able to extract them.
As such, our recommendation for using secrets with mobile applications is to deploy a separate backend application that proxies all your requests that require secrets (e.g., requests to third-party APIs). You can store your secrets in Doppler and use them with your backend without the mobile app needing access to them at all. When your mobile app needs to make an API request it then contacts your backend application which makes the actual request.
Although this does add a little complexity to the application, it will preserve the integrity of your secrets and will also allow you to do things like apply API limits or throttles to specific user accounts before it hits the API you need it to. Another benefit is that you can easily update credentials for all your deployed apps without requiring end users to update the app on their devices.
Updated about 1 year ago