It is not recommended to hard-code
client_secret into a native app i.e. to use what is called a "confidential client" in a mobile app scenario exactly because the
client_secret cannot be kept a secret.
A native app would typically be a "public client" to the Authorization Server i.e. one that does not have a
client_secret. Security would come from the fact that a unique redirect URI is registered and additional OAuth features like PKCE (https://tools.ietf.org/html/rfc7636) are applied.
For general recommendations on using OAuth 2.0 for native apps see: https://tools.ietf.org/html/draft-ietf-oauth-native-apps, especially the security considerations at: https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10#section-8