How keys should be distributed?

Several software applications needs to encrypt and decrypt data,
requiring either a single key in symmetrical encryption algorithms or
public/private keys in asymmetrical algorithms, but how these keys
should be distributed?
Embed the key(s) within the application executable is a very
vulnerable approach, since an attacker may trace API calls, or run the
application under a debugger and simply halt the program when the keys
has been reconstructed.
And what about the risk to distribute the key in every exeucutable
copy embedded within, if some attacker gets this key it can make it
public, and every user of this application may use it to break its own
installation.

Can anyone give me any suggestion? Or point me in the correct
direction to avoid these problems?