When adding twitter authentication to my Android app, Twitter dev , I was stunned to find that I needed to initialize Twitter Fabric for example:
import io.fabric.sdk.android.Fabric; import com.twitter.sdk.android.Twitter; import com.twitter.sdk.android.core.TwitterAuthConfig; ... @Override public void onCreate() { super.onCreate(); TwitterAuthConfig authConfig = new TwitterAuthConfig("consumerKey", "consumerSecret"); Fabric.with(this, new Twitter(authConfig)); }
They officially recommend that I put both the API key and the Secret API in my application as plaintext. Even in this official example, keys are stored in BuildConfig .
I use Proguard , but even then I cannot guarantee that a particular hacker will not be able to use my API secret. Do installed applications such as Quora install these keys?
Can someone post an example to overcome this vulnerability or provide a convincing argument in favor of why Twitter does this?
Unlike Google and Facebook, I only needed to add an AppID , and I had to hash my signature certificates and link the hashes to the respective applications. This is a level of greater security than higher.
source share