I’ve seen quite a few tricks of apps trying to hide credentials to access APIs to prevent reverse-engineering. Let me say it again: if you assume that your deliverable is secure, and use security by obscurity, you are doing it wrong. Sigh. If you delivery the binary with credentials to the user, assume that they will be able eventually to recover it.
Recently I needed to replicate API access for a major ticketing website. They use Digest authentication to generate access tokens which expire every 5 minutes. I was able to intercept almost all the missing pieces of puzzle, including API key using mitmproxy as usual.