I have an mcrypt encryption and decryption routine within one of my Android apps. This is essentially decrypting a string which is fetched via. remote call. Naturally the "secret key" is stored within the code, but anyone with apktool can obviously see the code and see my secret key.
Is there anyway to encrypt all the Java code so that even if de-compiled it would not be readable/understandable?
I've heard of ProGuard, but from reading about it, doesn't seem sufficient for this purpose.
You should never put a secret key inside code. Compiled code can be easily reverse-engineered and anyone with a debugger can hook to the point where the actual key is created. Security always relies on the algorithm, it is assumed that the client code is public and a potential attacker has a copy.
Hiding literals in code just delays the attacker in the process of getting the key, but it doesn't prevent it in any way.