Reputation: 5817
Hiding oauth secrets
I'm building an (amateur) application that uses the Twitter API, which supports authentication via the OAuth protocol.
Part of the OAuth sign-in process involves each application being assigned a Consumer Key and Consumer Secret (both strings), which are used to generate signatures for communication with the Twitter server.
The Twitter dev guide explicitly states that one should 'Keep the "Consumer secret" a secret. This key should never be human-readable in your application.'. This is obviously important, as if a malicious individual obtains your credentials, they can impersonate your app.
However, I do not see how this can be achieved. In order for the application to use the string, it must be accessible to the app somehow (either directly coded into the app, stored in a bundled database, or accessible via a linked web service) - and if it's accessible to the app, it must be accessible to the user. It can be obfuscated by splitting, character-shifting, etc., but not (as far as I can see) in any way that can't be undone.
This SO answer confirms my suspicions that this is a problem - I was wondering if there had been any progress since it was posted in December '09?
Upvotes: 3
Views: 877
Answers (1)
Reputation: 4017
The problem with mobile devices is that is in the users hands. And with enough time/effort the user can pull any data out of the device. It isn't an OAuth security problem, it is an overall security problem that there really isn't an answer for.
Upvotes: 1
Related Questions
- Making client secret configurable
- OAuth secrets in mobile apps
- How to more secure OAuth2 Request?
- OAuth: How to hide API Secret Key from javascript
- Oauth2.0 attributes encrypted
- OAuth 2.0 how to encrypt client id and secret
- How to keep the oAuth 2.0 Client Secret a secret?
- OAuth Secrets and Desktop Application
- OAuth and obtaining shared secret securely
- Why token secret is returned unecrypted in OAUTH?