If these constants are contained within the "App" JSON, then anyone could simply make a request to that URL in their browser and acquire the credentials and impersonate your app.
By putting it on the app, this is not possible. Of course if a hacker were to hack your app they can do so no matter how much you protect it, but this provides higher security than making it available publicly.
Another way to do this would be to protect the JSON endpoint using authentication, but this is when you have your own authentication server. For a lot of 3rd party API client type apps (think Reddit client, Twitter client, etc.) it is overkill to create an authentication server just to send over client_id and client_secret. By putting the client_id on the device, all you need to provide is the App JSON and all the authentication is taken care of between the device and the 3rd party API endpoints (Amazon, Twitter, Reddit, etc.)
Hope this make sense!