I use Google's keyczar to create the public/private key. It's an extra lookup but it keeps the information from being compromised.
I've also seen people put it in the Account Manager but the public/private key in my opinion is safer.
Godfrey Nolan wrote:There's synchronous and asynchronous encryption, synchronous encryption uses a single key. Like you point out that's not good as someone can decompile it and get the key and decrypt your data. But asynchronous which uses a public/private pair. It doesn't matter if someone gets the public key when they decomiple your file as all they can do is encrypt the data not decrypt it, only the private key can do that and that happens on the server not on the phone. I'll put something up on github tomorrow so you can play with it.
Just being pedantic... I think the correct terminology is Symmetric and Asymmetric Encryption.