I have an open source Android app which I am planning on adding Flurry tracking to. Flurry creates a unique API key for your app's tracking.
Do I need to try and hide this API key in my source code (i.e. not include it and I would add it every time I build for release) or just not worry about it?
Are other people going to be downloading this open source project and building their own versions? If so, I would leave the API key out and put in a config file (with name/value) that's loaded through code. Or, is this going to be open source just to allow a lot of people to work on it? In which case, it might be easier to just leave it in.
Personally, I would go with the config file no matter what and leave it out. If only because someone else could get your API key, add it to their app and mess with your data. That, and every time you build and run in the test environment, that'll affect your stats.
I use Google Code as a svn repository and for any of my api keys I put a placeholder in strings.xml and make sure to blank them out if I check anything in.
Applications of this nature should have a configuration file that stands alone outside the repository. Instead of committing the file itself, create a "sample" version of the file which gets committed to the repository, which contains all the necessary settings but just has dummy data. Then in your app, dynamically load the "real" config file.
When another dev checks out the code, they will have to do some simple, initial setup. One of those items includes making a copy of the sample config file and renaming it to the proper, correct config file name, then updating it with their own private settings for keys, passwords, etc.