I work on a banking app, so obviously security is HUGE for us. We only use an obfuscator on the encryption module which contains the code used for establishing connections to the server, including encryption, client certificates, and other fun stuff.

However, looking at the app code won't tell you much because it's fairly stupid. It just displays data and allows users to send requests back to the server. There is no database access and no business logic at all client side- this was very important to me and I pushed hard for this design from the get-go. Our architecure uses separate data-only objects between the client and server as well as inn the client so that none of the logic in our entities or back end processess is ever exposed through the client.

For example, if you looked at the code you'd see all of the fields listed that the user can input for "customer", but there's no logic at all for what it means to set a customer's password, how it is validated, and how it is encrypted to be stored in the database. We also validate all calls server side, whether they are validated on the client or not (though validation logic is exposed if it's used in both places). But someone couldn't figure out how to contect to our server directly and get bad requests through.

All of this had to pass an audit by a third party, which it did with flying colors- but we definitely developed with security in mind.