Where available, you could store the keys in an encrypted block in your app, not in code, making then impossible to scrape.
Even with this, for them to be used, they need to be loaded in memory in plain text, so theoretically, someone can still get to them.
