it's a public key that you can use openSSL command to get from any server that you want so it's not that secret. but It' still don't protected your from decompile APK, and IPA. You can use with https://developer.android.com/training/safetynet/verify-apps to double check that users download from the right store. I just have a improved version from this article, i will update it and make it more secure