[jchw]

At some point the app needs to have some credential hardcoded, but you can make it more obscured by getting the API key from your own server with some kind of challenge/response. This makes it easier to rotate third party API keys and cut off unauthorized usage, by including information in the challenge request that could be used to correlate unauthorized requests.

Your hardcoded credential could then become a cryptographic key that you could rotate on app upfates.

I am not sure how many apps actually go through this trouble.