For an example say we have an application such as a client based application which connects to an API using an api key. We are saying for this purpose there is no OAuth. How would a string or in this example an api key be hidden from the client. To be used it needs to be in the code which is on the clientside. How do we keep the string safe? If users decompile the code they could find the key.
This is a very basic example with solutions such as server siding the connection, but in general how do you protect strings that must be present in the code. Deobfuscation is a pain.