Re: Assuming they were properly hashed
Well, colo[u]r me stupid, but my (limited) understanding is:
1 - either the server expects the hashed data, in which case the hashed data is, for all intents and purposes, the password/authentication token/etc, so the hashing process was completely pointless and adds no security
2 - or the server expects the plaintext data, but the app writer thinks that he/she is being clever by hashing the secret instead of storing it plain in the app, and unhashing before transmission. Which is pretty pointless, because the key must also be in the app, so you're adding minimal additional security by hashing.
Note that salting is irrelevant, for 2 similar reasons, which I won't bother to repeat.
Basically, if you need a secret to access a resource on the server, and you store that secret in your app somewhere, then you have to hope that (a) the attacker can't reverse-engineer your app, and (b) that the attacker can't break into the keychain and decode your TLS data to the server. And we all know at least one laptop manufacturer has done exactly that, and it would be pretty dumb to assume that your phone manufacturer hasn't done the same thing.
I think. In any event, I refuse to have a mobile banking app on my phone, despite regular requests from my bank.