Under the constraints that the user only has access to a release (signed) build of the android app and doesn’t know the signing key. No rooted phone either. The token isn’t sent through insecure channels (like http). User only uses default https certificates. The token is not exposed in any way through the user interface.
I am almost sure it is impossible (or at least very very hard), but I want to be sure asking you guys