@nubesik then you decompile the app to extract the token, or use a mitm proxy if they didn't do certificate pinning. There's always a way.