I want to use Microsoft Azure Storage Android API to upload images made by phone camera. Here's like to it: https://github.com/azure/azure-storage-android
Here's my question: Account name and key are stored in string inside app, so anyone could decompile it, get these credentials and then, for example, upload lots of data which would cost me money.
So is it safe to use this on android app? What are my other options?
You should not store the keys in your application. You're right that somebody could decompile your app and get the keys. Furthermore, if you ever have to change your account key for whatever reasons your users would need to download your application again.
What you should do is make use of Shared Access Signature (SAS) when somebody needs to upload the images. You could use Azure Mobile Service or write your own web service to get SAS (with write permission) on demand and use that in your application to upload images in your storage account.
You are right. If you are shipping the credentials to your Azure storage account in your app, then well, anyone has the credentials and can do anything with it.
Typically you would create an intermediate web service (e.g. hosted on Azure websites) which accesses Azure storage and limit the amount of data each user may upload. The app communicates only with your web service and hence does not need to know about the credentials to the storage account.
Obviously you will need some kind of user management built into your web service, e.g. custom accounts, Google login (most Android users will have a Google account), OpenID, OAuth, ...
