There seems to be an inconsistency in the Slack API docs in that the OAuth flow requires a client_secret be provided as part of the exchange of the code for the OAuth token as documented at https://api.slack.com/methods/oauth.access
However the client secret then needs to be embedded into the mobile app which goes against Slack's recommendations at https://api.slack.com/docs/oauth-safety which states:
Your Client Secret should be treated delicately. It is how you securely identify your application's rights and identity when exchanging tokens with Slack. Do not distribute client secrets in email, distributed native applications, client-side javascript, or public code repositories.
Are there any best practices available in terms of how to manage this discrepancy where the client secret seems to be required for auth but at the same time should not be embedded into the mobile app?