It is difficult to convert Dalvik byte code; I understand that there is no simple mapping to Java byte code, much less to a Java source, especially if it went through ProGuard. However , auth parameters are usually data, not code, and can be easily tracked. Moreover, someone who is interested in breaking your credentials has many other means of attack, including sniffing packages that do not require source code recovery. Anon's comment is exactly right and does not trust the client.
As for best practices, you can use a public key encryption system, get credentials from a server, etc., so as not to put sensitive information in an .apk file. Do not trust obfuscation or obscure byte code to keep your secrets. They will not.