It would be less work for me to run charles proxy and see catch the consumer key/secret in transit then to decompile it and figure out where in the code it is actually stored when distributed with the app.
Previously with basicauth you could use anybodies source param and spoof their application. At least with OAuth you have to acquire their consumer key/secret first. You guys are all freaking out about this when this is how the internet works. Just look at email. With a single line of PHP I can send any of you an email from any email address.* Abraham *There technologies to stop this but very few mail servers use them. Currently Gmail refuses email from paypal.com unless it is signed by their key. On Mon, Jan 18, 2010 at 15:35, M. Edward (Ed) Borasky <zzn...@gmail.com>wrote: > > > On Jan 18, 2:27 pm, Dossy Shiobara <do...@panoptic.com> wrote: > > Hint: If the data is in RAM at any point in time, your entry-level > > hacker kiddie can recover the keys in cleartext. > > Ayup :-( > > > > > Storing your key on a remote server and fetching it doesn't protect it > > either. As long as that key is brought to a machine that an attacker > > has full control over, it might as well be stored with the app in > plaintext. > -- Abraham Williams | Moved to Seattle | May cause email delays Project | Intersect | http://intersect.labs.poseurtech.com Hacker | http://abrah.am | http://twitter.com/abraham This email is: [ ] shareable [x] ask first [ ] private.