currently I'm connecting to smtp server (which belongs to poczta.onet.pl - popular mail service in poland) using my login and password which are specified in the code. Are you saying that "bad people" will fetch this data? What can they do then?
Harcoding your login and password make yourself recognize by the server (so validate the connection). And then, people using your app will be seen by the server as if you were the one sending a mail.

Instead your app should asked for a valid login and password on the relevant SMTP server. So, never harcode one in your app.