This issue has been discussed at http://groups.google.com/group/oauth?hl=en You might might find that informative. Some highlights:
An OAuth Consumer that's deployed to users' desktops or mobile devices can't keep a secret. One should assume its consumer key and consumer secret will be known to attackers. Consequently, OAuth doesn't really assure the user that he's authorizing a legitimate copy of the Consumer software. (There are other ways to assure this; for example the user might trust Apple's app store.) Such a Consumer should avoid revealing a user's token secrets to other users or other applications on the same platform. I've heard that the iPhone Keychain is useful for this purpose. There's no need to hide token secrets from their user (although the user should be discouraged from revealing his token secrets to other users). OAuth provides some value in this situation. It enables the Consumer to avoid storing the user's password, and avoid transmitting the password with each request to the Service Provider. (Instead, it stores an access token secret, and signs each request.) It enables the Service Provider to revoke permission for each Consumer individually, without changing the password.