I have addressed the issue in my own open source Twitter applications.
You DO NOT distribute ConsumerKey or ConsumerKeySecret with source code. A sensible approach is to create two constants / global variables (or any other) that contain these values, and they are EMPTY in the source you publish. Include some documentation that explains to other developers how to get their own keys and how to change the source to install them.
If you distribute compiled binaries, you must compile with the ConsumerKey and ConsumerKeySecret entries for the application to run.
There is a non-safe way to handle this; This is the character of OAuth. However, you can be reasonably safe and achieve what this approach seeks.