Security Review Oauth Callback "Insecure Storage of Sensitive Data"

My solution for determining the users email address is going to be to make a SOQL query to the sObject 'User' immediately after the OAuth flow completes. Is there something similar I can do for namespace prefix?

Yes, since Spring `16 you can query Organization.NamespacePrefix in SOQL.

SELECT NamespacePrefix FROM Organization

It's a bit more work, but you can also use the MetadataAPI.describeMetadata() result DescribeMetadataResult.organizationNamespace

It seems really odd that you even need to resolve the namespace of the managed package. This is fixed for the managed package in every org. It will be the same everywhere.

If for some reason you do need to resolve the namespace and you know the API name of the Apex class that exposes the custom REST endpoint then you could query the ApexClass records to get the NamespacePrefix that it is using.

Insecure Storage of Sensitive Data refers to storage of passwords in insecure locations such as unencrypted custom fields or public custom settings.

It has nothing to do with transport (even of sensitive data). Moreover namespace prefixes and redirect URIs are not sensitive data in the sense above.

Either you are not correctly describing the issue or this is a false positive.

Please message me with the app name.