In building an app I was suggested not to incorporate the public key into any code as a literal string. Although it is not secret, it may be replaced by another in a possible fraud attempt. As a solution it was suggested to build the real-time string from scratch or use bit manipulation (eg XOR with some other string) to hide the real key.
How does this work?