You can securely save data on the client - android, iPhone, so that only the app can access it. It's os security features.
Source
Your secrets are then encrypted, and your password or fingerprint can be used to decrypt the secrets.
you have to take measures to protect yourself regardless of where youre using
It depends on the purpose of the key and other security features.
on some apps ive worked on before you get into the app you fetch a token, different from the normal access token which you’ll now pass to every request, different strokes for different folks basically
If this is the actual problem for your use case, then you need an app integrity checker. You can embed certificates and implement certificate spinning as well.
With app integrity checker, it will confirm if the app making the request is indeed from your source code, not modified in any way... And another is if it's installed from the right source, that is play store for Android
Your server will reject any other requests
There are alternatives to firebase though
Currently working on an app...
Only a paid user should have access to some files, and for performance, I stored the files on a secure storage on usyer device, which means the user can't access it directly, it has to be through the app. But what if the user bypasses Android's security... I encrypted the files.
At the end of the day you have to send the token via header 😩
Simplest solution is to use public/private key pair rsa
Client and server exchange keys
Encryption is a topic I would encourage everyone to read about
I see some have already suggested the End to End already.
Let me start from there.