INSTRUMENTATION FRAMEWORKS
For security within application, I am using below method to generate Keyhash.
No matter what type of code and how much you obfuscate it, all an attacker needs is to hook into your mobile app during runtime with an open source instrumentation framework, like Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
So the attacker discovers the function you are calling, then it hooks on it to listen for the return result and extract it to a command and control server or just modify it to any value it pleases him.
REVERSE ENGINEER
Can we create SHA256 key, is this SHA256 key can be reverse engineered after building APK?
Yes you can, and my preferred tool for doing it is the MobSF - Mobile Security Framework:
Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.
You can read the article How to Extract an API Key from a Mobile App with Static binary Analysis to see how I have used the MobSF to extract the API key, but the procedures will be similar to find and extract any other type of secret.
You can make the secret hard to find with static analysis by hiding it in native C code through the use of the JNI/NDK:
Using Android Studio 2.2 and higher, you can use the NDK to compile C and C++ code into a native library and package it into your APK using Gradle, the IDE's integrated build system. Your Java code can then call functions in your native library through the Java Native Interface (JNI) framework.
For an example implementation see this folder for the Currency Converter Demo, that is the companion mobile app for the article Steal that API Key with a Man in the Middle Attack:
In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.
So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.
This article shows your how to use a proxy to carry a Man in the Middle attack, that is another technique widely used to extract secrets from a mobile app. I find it very useful when I am not able to find the secrets through static analysis.
In the article I am using a very popular open source tool, mitmproxy:
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
LOCK THE API TO THE MOBILE APP
is there any effective way for generating keyhash other than above method for securing application while calling API's.
I think what you are looking for is to lock your API server to only accept requests from your mobile app, and if that is the case then please read this reply I gave to the question How to secure an API REST for mobile app? for the sections on Securing the API Server and A Possible Better Solution.
Basically in that reply you can learn several techniques to defend your API server and try to lock it down to your mobile app with an high degree of confidence.
DO YOU WANT TO GO THE EXTRA MILE?
In any response to a security question I feel the need to reference the excellent work from the OWASP foundation.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
For APIS
OWASP API Security Top 10
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.