I am currently developing a multi-platform application that uses Twitter, including authentication through oAuth.
I looked through a lot of existing applications, and most of them seem to insert both the identifier and the secret key inside the application.
What are the risks to this? Is it just that someone can βdownload and verifyβ your binary application to extract your key, and can it pretend to be your application (phishing style)? Or are there other risks?
Besides risks, are there any workarounds or solutions that people know about?
The only solution Iβve already seen is that some people get around this by routing all twitter calls through their own website - for example, OAuth Twitter using only the consumer key (do not use a user's secret) on iPhone and Android - but this seems rather slow and expensive - I would prefer not to route all calls through my own web service if I can avoid it (or did I misunderstand the solution - is it just authorization that goes through the website?)
source share