Anyway interesting post.
If instead of using the POST data only to create the hash they added another information, like a the hour of the day. Wouldn't it be way harder for a hacker to actually understand what went into signing the request?
Indeed you could personalizes the keys for every user. So you could detect a leaked private key that is widely used and proceed against. Still that wouldn't hinder personal further use of that private key, e.g. for exporting data (similar to breaking DRM).
I'm sure there are additional techniques to obfuscate the private key, but relying on locked down devices isn't possible in the Android ecosystem. You don't need a device at all to perform the steps outlined in the article.