Be aware that if it's in your program, then it's inherently unsecure. No matter what you do, if the app has the ability to make that secure connection with info it contains, then that info can be pulled out by an experienced hacker with time and desire.
But are you that concerned about that level of threat? Obviously just throwing it into an app.config file is about as low-security as you get. All that has to happen is that someone opens the file with a text reader and ta-da, they have your credentials.
Maybe you would want to store an encrypted version in the config file and keep a private key in your app. At least a text reader can't "break" it. Of course someone might use reflector and decompile your app to get the private key.
Well you could obfuscate the app. That would make it harder to find that private key. Yes still not impossible.
Maybe you want that private key to be pulled off of a server through a web service or something. Then if someone has the app, they can't get it - though they can always reverse engineer how the web service call is made. Or do a man-in-the-middle and look at the key on the network.
Maybe you could use SSL to protect the transmission. Maybe do MAC filtering on the service to make it more difficult for an unauthorized device to get the key.
You can see the progression here. Each level of security requires more and more work. More and more maintenance. You have to decide what the return on the investment is going to be for your scenario and pick a level of security you're comfortable with for the amount of effort you're willing to spend on it.