I have a private API key in my Android app that is used in certain areas -- is there no way to prevent a user from somehow reverse-engineering or decompiling the Java to see what that key is? Is it not safe to put the key as a static field in a class? Is it safer to put it as a string resource in strings.xml? Or something else entirely? Or is it simply not possible to prevent a sufficiently motivated user from finding it?
Not only can it be, it's not even hard.
You can make it harder by not storing it as a string at all, but as a series of numbers that you convert to a string at runtime (perhaps obfuscating it somehow).
But the answer to
Or is it simply not possible to prevent a sufficiently motivated user from finding it?
is: Right, it's simply not possible.