An answer from StackOverflow by a “Senior iOS Developer”:
I just ended up taking two keypairs. One of them I used to encrypt the other one. Then I broke up the encrypted form into many shards and stashed them all over the place… in the cloud… on servers… in obfuscated strings on my app… etc.
None of the strings involved in the encryption or keys is in string or binary format in the compiled app. It is all generated programatically in a quite obfuscated fashion.
At runtime we use arcane math functions to build method names that call hidden methods around the app to assemble the first key, then we go get the encrypted shards of the second key from all over the internet and decrypt them with the first key, then we use the second key to decrypt the important client data.
Then we use a special sauce method where none of the code that’s involved in this obfuscation is anywhere in our repository. It gets loaded in dynamically at a special time. That’s all I will say about that.
—and—
I know using someone else’s encrypting software would be faster and easier but this is more fun, plus it can run on my phone. … you are basically saying there are better ways to do it, and I’m just saying mine is not a bad way.