[StavrosK]

You'll never find it, it's too well hidden! Muhaha!

P.S.: It isn't.

[Guillaume86]

I used a APK "decompiler" once to get API keys and urls (wasn't for candy crush but for a music app using https).

I guess it should work here too.

[pritambaral]

I have a setup with my own WiFi, SQUID as a transparent proxy with self-signed CA generating "legit" site certificates on the fly.

The CA is loaded into Android as trusted, internet is disabled on every app except target to reduce noise (yay! UNIX users/permissions!) SQUID's built-in logging spills all the magic beans.

[jbrooksuk]

I take it that the secret key is visible in the requests within Charles?

[CSDude]

Yes in a way, but actually no, it is hashed with some other values.

[StavrosK]

It's both hashed and the first few chars (four, IIRC) of the hash are transmitted, so it's really unlikely that one will be able to brute-force it.