I don't get it.

&use_password_somehow( &get_secret_password_from_somewhere);
[download]

becomes

my $no_longer_so_secret_password = 
      &get_secret_password_from_somewhere;
print STDOUT $no_longer_so_secret_password  . "\n";
&use_password_somehow( $no_longer_so_secret_password );
[download]

In other words, if the app can get the password, so can the developers.

So again 'security thru obscurity' doesn't offer anything.

Musing: and if you don't trust the developers -- who (in some shops) have access to root, to DB root, to CVS sources, to code, to docs, to core data, and (in some shops) have physical access to key servers / routers / etc, and thus could wreak all kinds of malicious stuff, should they be so inclined -- well, then, things certainly don't look so good. Figure out who needs access to what, give the right people access to what they need, and lock down securely (not just obscure) the other stuff for the other folks. And at some level, certain key individuals have to be trusted, bottom line.