Sending your key in the GET request as a special parameter is fine. It doesn't make things anymore secure just because you sent your data as a header in a POST request. Most APIs will accept the application key in a GET parameter (ex-trello).
If there is something vitally secret that you don't want anyone else to find, then you don't want to keep it stored on the mobile app anyway because someone decompiling the app will be able to find it.