Hello. In the User-Agent OAuth  flow --> a access token and refresh token are returned . How can I store refresh token in a secure fashion (I mean if the phone is rooted then the attacker can keep on using refresh token to gain unlimited access). 

 https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_understanding_user_agent_oauth_flow.htm