There isn't really a way around it other than implementing authentication in a remote server. In that scenario, the app doesn't authenticate directly with the service, but with a private server. This way you can, for example, authenticate your users and create sessions before they can access the Dropbox API.
It can still be abused, but at least you can know who did it.
Surely you need to grant your app to be able to indentify itself, that means it has to have its secret baked in?