The real question is what the attacker gets from his theft ...
You must do everything possible to protect secrets, but in the end, a highly motivated hacker can always access him in the installed application. Thus, this is the meaning of secrecy and difficulty of extraction.
The value of client privacy represents the application. It does not give access to user data. However, since Twitter supports the automatic issuance of credentials to previously approved applications (logging in with Twitter), an attacker could potentially create a web application with your secret and steal user data using blind redirects.
The problem with the implementation of Twitter is that they do not ask the developer about the nature of the application. If they did, they would not give you a secret to start with and block anyone from creating a web application using your client credentials and steal data from users who have already approved it.
Obfuscation is one option, but weak. Transferring privacy to a web server acting as an API proxy is different, but it just transfers the problem to another place, because now your application must authenticate against the proxy. However, this template can be quite safe if you require users to access your site (which it can use via web submissions, Twitter to log in). Thus, someone who is trying to abuse your proxy server will need their users to open accounts on your service, which is not very attractive.
In short, continue and obfuscate it. It does not hurt. Consider using a proxy template. And perhaps let Twitter know that their security policies are not great.
Eran Hammer Aug 20 2018-11-18T00: 00Z
source share