Need some tips for Laravel passport and Android

Hello,

I would like to know if someone could give me some tips on the best way to implement Laravel passport with an Android app(Phonegap). I am creating my first app that communicates with Laravel and I am unsure on the security part of it.

At the moment my client_id and secret_key are on the app itself in clear text.

When the user logs in from the app, the client_id and secret_key are checked server side using the Laravel API, upon good login a token and refresh_token are sent to the user mobile database, none of the data in the database is hashed as someone told me that it was useless to hash tokens on the mobile side.

What I would like to know is:

1)Is it ok to leave the client_id, client_key,token and refresh_tokens non hashed on the mobile side?

2)There is one part of OAuth2 that I do not understand, how can this logic protects you against someone who crack open your app, steal all the code + recreate a new app under a similar name and ask customer to log in with it. It is my understanding that a new app using my code will let people log in to the website while silently be able to steal all the usernames and passwords.

Thank you!