Your API Key is Not a Secret: The "Genuine App" Pattern

We have all been there: trying to hide API keys in gradle.properties, burying them in the NDK, or using complex obfuscation tools. But here is the hard truth: if it’s in your app code, it’s not a secret—it’s a public identifier. So, how do you prevent unauthorized clients from abusing your backend if you can't trust the client?

In this session, we will move past the "hide and seek" game. I will demonstrate a secrets management architecture that doesn't rely on user login but instead relies on cryptographic attestation. We will dive deep into the Google Play Integrity API, showing you how to implement a handshake that proves the request is coming from your genuine, unmodified app binary. You will leave with a concrete pattern for a "Simple Server" validation flow that makes stolen API keys useless.