You can't keep OAuth secret or any other "secrets" at the server side.
If you keep it there, your app needs to download it - then the attacker can do it as well. You need something "secret" to be at the app. And the ease of decomilation doesn't help there.
