I'm not sure if that would be a good solution, or is it just as insecure as having password in the code.
It's just as insecure, as the software would need to store the decryption key itself in plain-text.
But why are you so concerned about keeping the password secret? As long as each device has a different password, you can identify abusive uses (too many requests, or from multiple sources, etc) and block that account.
What do you fear that the client could do with the device password?
It's just as insecure, as the software would need to store the decryption key itself in plain-text.
But why are you so concerned about keeping the password secret? As long as each device has a different password, you can identify abusive uses (too many requests, or from multiple sources, etc) and block that account.
What do you fear that the client could do with the device password?