Comment by NikkiA
TBF strings might not trivially show up the password if you took the most basic of provisions (a non-ascii password, not stored right next to the username separated by a \0), but most programmers likely wouldn't even bother with that.
Even then you can MITM if you have elevated access to the platform and can tinker with the certificate store.
Games like Pokemon Go use a highly obfuscated algorithm to sign requests which makes it much harder to actually use the key if you can retrieve it