Yeah. I've been reading more online. Like most security issues... there's a lot of wiggle room in what you should do. I guess my point was that I don't see how client side hashing or encryption accomplishes anything, but it seems like basically it's used to obfuscate logs really and not used for protecting a MITM. I really wish there was a security guide for mobile apps or something that took into account what other organizations do. I feel like security is never ending rabbit hole and people can always come up with hypothetical attack vectors.

I feel like security is never ending rabbit hole and people can always come up with hypothetical attack vectors.

It pretty much is, that's why it's a whole sub-industry, with its own conferences etc, and many companies have whole teams dedicated to it full-time.

if you hash things on the client, you’re just looking to get your own key extracted from the binary. worst, if you hash in a repeatable manner, sending a fixed string is about the same as sending the username/password over the client (an attack that can read your traffic will just replay the encrypted credentials, they don’t even need to decrypt them). It can help with logs, it’s true. If you team is writing all request bodies to disk (or if they are using something to dump local variables in the even of an error), passwords can end up places you don’t want them to.