you have to put your private key somewhere, in apps is generally fine. People are only concerned about websites because of XSS attacks