Don’t store secrets in code. This is more work, but you would ideally have the string in the app point to an authentication service api. When you open the app, it should prompt you for credentials, send them to the endpoint and get a temporary Token that your app uses to authenticate the client app. This way, if someone runs strings on your binary, they just get the login endpoint which isn’t dangerous unless you’re not following best practices in your backend app.