I am using BillingProcessor from anjlab.
In that is has the function:
String licenceKey = "My license key from Google Play";
bp = BillingProcessor.newBillingProcessor(this, /*"YOUR LICENSE KEY FROM GOOGLE PLAY CONSOLE HERE" null if checking test*/ licenceKey, this);
where licenceKey is that really long string found in the Google Play console.
However, my question is:
1. Is that safe putting my Google Play Licence Key in my code that can be reverse engineered?
2. If it is not safe, what do I do?
Safe - yes and no. It is safe in that you won't be leaking any dangerous information. This key is just a public key from Google for your app that lets you check that purchase messages comes from Google. If it was published on the internet there wouldn't be any big loss of security.
However, whenever you do verification in the Android app, then you are vulnerable to your app being altered. An attacker can modify your APK to take out the check, and give your IAPs free. If your app has to work offline or doesn't have a server side part then there isn't much you can do about this. But if your app does have a server side component it is much safer to verify the purchase on your server. It depends on the design of your app.