I'm a member of the "AndTweet project" creating Open Source Twitter client for Google Android (http://code.google.com/p/andtweet/), and now I'm starting to implement OAuth for the AndTweet mobile application. I've already registered AndTweet and got, among others, the "Consumer key" and "Consumer secret". According to the Twitter documentation (http://dev.twitter.com/pages/ auth), I should "Remember to never reveal your consumer secrets".
Please note this: 1. Our project is open, so everybody can join it and see it's source code. 2. As OAuth documentation states (http://hueniverse.com/2008/10/ beginners-guide-to-oauth-part-iii-security-architecture/): --- Quote start ---- However, when the Consumer is a desktop application, a mobile application, or any other client-side software such as browser applets (Flash, Java, Silverlight) and scripts (JavaScript), the Consumer credentials must be included in each copy of the application. This means the Consumer Secret (or Private Key) must be distributed with the application, which inheritably compromises them. This does not prevent using OAuth within such application, but it does limit the amount of trust Service Provider can have in such public secrets. Since the secrets cannot be trusted, Service Provider must treat such application as unknown entities and use the Consumer identity only for activities that do not require any level of trust, such as collecting statistics about applications --- Quote end --- So, how does our development group is supposed to work with this "secrets"? Can we just inject them in the source code? (In this case everybody will know them... but as long as everybody has the Source code, figuring out the values of the "secrets" even in compiled application is not a problem...) What "Consumer key" and "Consumer secret" should we use for testing? ... Thank you for the feedback!