[CornishPasty]

By using HTTPS/SSL. But the onus of that is on the API provider...

[thedufer]

It also doesn't help that much - you can still look up the api key in the package, which isn't a whole lot harder. You could probably sign your own cert, tell your device to trust it, and MITM it, too.