A credential is embedded in the app and is trivially recoverable by unpacking it.
How it's exploited
Anyone can download your APK/IPA and run strings on it. A hardcoded API key, AWS credential, or private key is extracted in seconds and reused from an attacker's own scripts, far from your app's rate limits.
Why it matters
Cloud bills run up on your keys, backend data accessed as "the app", and rotation is painful because the secret ships inside every installed copy.
How to fix it
Revoke and rotate the exposed secret now; assume it is public.
Move the capability server-side: the app calls your backend, the backend holds the secret.
For unavoidable client keys (analytics, maps), restrict them by package name/bundle id and scope them to the minimum permission.