Unfavourable situation :

Token is captured by an attacker.

If user doesn't install the app again, token will stay valid on server till its lifetime. Hence a security mechanism like SSL pinning will be of help.

Secondly, at server side I would ask client for certain distinguishing values such as device model, OS version. With this step, server would verify the authenticity of the requester.

What do you think?