How do you hide the consumer secret for Twitter which uses Oauth in your open-source project? Do you add the secret to the code before production deployment?
This goes for secrets/passwords in your open-source code in general as well.
The standard solution is to store it in a config file. Therefore everyone who wants to install and run the software needs to register his/her own password to use your software.
Generally, for server-based software, each installation is a separate service. For example NBC Universal, NPR and Huffington Post all use the same software but are considered different entities. Therefore this makes sense in general.
However, for desktop-based software this is not the case. The word processor used by NBC, NPR and Huffington Post are not considered different software but is just Microsoft Word. So for desktop-based software (or mobile App) the solution is similar except that you include the necessary private key/secret code during the build process. Again, keeping this all in config files makes life easier. Just make sure that the example/default config file that you upload to the public repo does not contain any secrets.