Well, that depends on your application I would say.
If you have a server which can control this, that would be one solution.
In my case, I am not using a server, so I do it locally on the device. Generally, I use a SQLite DB. Since I was not able to get SQLCipher working with it (encrypted database), I wrote some encryption layer myself, which will auto encrypt and decrypt any key and value stored/read from DB. The encryption key is generated on first launch, divided into several parts - some stored in the DB, some stored on file system, some part is static and some can be obtained from the device (I will not disclose how I do it exactly ). The parts are modified via several transformations and the complete logic is run through an obfuscator.
This is in no way a 100% secure solution, but from my point of view a sufficient solution for my use case, where no user to user game interaction will be affected (the user just can gain some single-player benefits).
The 0.00001% of people who has the time, passion and thrill to figure that out has better options to do so in a hybrid app in my opinion.
If the benefits could affect user-to-user interaction I would try to find better solutions, probably server side.
Hope that helps a bit.