diff --git a/README.md b/README.md
index d3bc307..cece8e2 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,9 @@ Config.API_URL  // 'https://myapi.com'
 Config.GOOGLE_MAPS_API_KEY  // 'abcdefgh'
 ```
 
+Keep in mind this module doesn't obfuscate or encrypt secrets for packaging, so do not store sensitive keys in `.env`. It's [basically impossible to prevent users from reverse engineering mobile app secrets](https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/), so design your app (and APIs) with that in mind.
+
+
 ### Android
 
 Config variables set in `.env` are available to your Java classes via `BuildConfig`: