The terms of use for libspotify state that the key should be stored in a secure manner. The only recommendation for storing the key that I've found is compiling your application and distributing the binary. I have a hard time seeing this as anything else than security by obscurity since the key is easily retrievable using a debugger.
Is this really the approach Spotify suggests? What about if I only compile the file containing the key and distribute the rest of my application as open source?
I guess the essence of my question is this: how do I avoid breaching the ToS without requiring every user to obtain their own key?
The logic is this (I work for Spotify): requiring our developers to jump through a bunch of hoops just to get their API key into their binary isn't going to be worth it - developers will be turned off by it and everyone will be unhappy.
However, we don't want keys to be spread around, simply because if everyone is using one key, we can't track it reliably and if that key ends up being used for something malicious and we kill it, lots of applications will suddenly be broken.
To force in a terrible car analogy, imagine the API key is some valuable item and your application is a car. If you leave the item on the car's seat (i.e., having your API key in plain text), you're practically inviting someone to break in and steal it (i.e., use your key in their own app). If you put it in the glove box (compile it into your binary), if someone breaks in to your car (disassembles your app) because they know the item is in the glovebox, it's pretty much game over anyway.
In short: Compiling in the key is absolutely security through obscurity, but we feel it's enough to dissuade people from casually reusing other applications' API keys when it's fairly trivial to get one from us directly.
I guess the essence of my question is this: how do I avoid breaching the ToS without requiring every user to obtain their own key?
If you're distributing your application in binary form, compiling it in is just fine. If you're distributing it in source form, you can't really include the key.