Okay, but that also would lead to the same problem of exposed key but different one this time, since you need some form of token ( service account ) to communicate with KMS service. I wouldn’t recommend that, since mobile apps are effectively public, so you might expose KMS credentials.

Once think you could do is perform KMS operation at deployed stage via Continuous delivery server. Like, store the secrets per environment as encrypted and the CD would have access to decrypt production credentials and build the app bundle.