How to Store Auth Tokens in Routine Apps

What do you do with a login token in your app? OWASP guides list storing a token in local storage as a vulnerability:

M2: Insecure Data Storage | OWASP Foundation

Vulnerable? Really?

I wonder what Google & Apple think about a broad declaration that their app storage is a vulnerability.

Here is the threat:

• adversary physically attains the mobile device
• the adversary hooks up the mobile device to a computer