Hi, In an installed client app it is just not a good idea to assume that the consumer secret is actually secret or to rely on this in the way you build your server. There is no way to ensure this secrecy and it is not an issue specific to OAuth. The token secret is a bit of a better bet since it is unique per client.
I believe both Google and Yahoo have guidelines for people building installed clients using OAuth, so recommend you take a look at those guidelines when considering how to do your own implementation. Ethan On Thu, Oct 29, 2009 at 6:06 PM, jrojas78 <[email protected]> wrote: > > Hello, > > How does OAuth deal with client apps that can be "decompiled"? If I > want to build a client app that uses an OAuth service like Twitter how > do I protect my secret key? All it takes one person to hack the > client and share the secret key and then my app would be vulnerable to > spoofing. The best approach would be to never share the secret key on > the client. > > How can OAuth deal with this? > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
