If spoofing of white-listed IP addresses is a concern to Twitter (and
it probably is), I have a proxy infrastructure in place with already
white-listed IP addresses that can make API calls from IP addresses
that are not the same as my website IP address.
It will take one hell of a lucky guess by anyone to guess those IP
It is perhaps something all larger apps should put in place, namely
the ability to use white-listed IP addresses that are not the same as
your easily identifiable website IP address.