Even dev's can't cope. Most apps leak credentials severely. You need integratity verification, obfuscation and whitebox crypto to do this sort of thing securely.
All of that is available in the banking world and is often deployed by people like Irdeto (who I work for) and Arxan etc.
This illustrates a question for my I've been wondering for a while - while each developer on a project should have a good idea of security best practice, is it worth it for each to be an expert in security? I've always felt that there should be a member (or team, depending on project scale) for each project who is a "security expert" and can guide decisions for security best practice. So the developers can be aware that they need to tie in an API key at some point, and the security expert can guide the best way to implement that.
All of that is available in the banking world and is often deployed by people like Irdeto (who I work for) and Arxan etc.