PHP

Authorization via social networking with sdk is insecure (android). What should the algorithm look like on the server?

I am writing an android application, a client for a website. I stopped at authorization, there is a serious security issue. So, for starters, I’ll tell you how authorization / registration through social networks works on this site. networks (correct if errors are made here). First, the user makes a request to my-site.com/oauth_vk , then the server sends a request with clientID, clientSecret and callbackURL to the social network server, upon successful authorization, when the user has confirmed permission to use his data, we receive his data from the social server. networks. Among these data is his ID in the social. network, we use it to make a request to the database and understand that we need to register it or just authorize it, but in any case, we get its ID on our website from our database and a hash in order to write it in cookies (for further authentication by them).
This process, from my point of view, is safe, because. clientID, clientSecret are stored on the server, and it is not possible to forge a request.
But, the situation with the android application is different. I wrote the part when we already got the user data from the social. networks in the application. Further, it would be necessary to make a request to the server with the user ID from the social. networks to get from our database its ID on our website and a hash to perform further requests. Here I stopped, because. anyone who decompiles the application will see how to get the ID and hash on the site using the user ID in the social. network (it is not difficult for anyone to recognize it), and can thus log in on behalf of anyone. (And also, he learns the app_id of the social network).
This is a critical problem until I figure out what to do next. Tell me how to correctly implement authorization on the server using android-sdk so that there are no such security holes.