How to develop secure Dropbox browser client?

Question

A Dropbox browser client with application API key and secret stored in its source code is a bad idea as anyone could impersonate the application using them.

1. But what about the Dropbox API key encoder, if used, can a third-party obtain the original key/secret?
2. If an attacker obtain the key/secret pair, what is the worst case scenario that can happen to users of the compromised application?
3. What are the best practices dealing with Dropbox security in a browser only client in order to have a perfectly secure implementation (if possible)?

I think that the application stored on the client can never be completely secure, but I still would like to hear from developers more experienced than me.

Thank you in advance for your help

Answer 1

Caveat: I'm not a security expert.

Using the encoder might discourage a casual "attacker" from picking up your app key and secret, but it doesn't provide any true security. Here's a line of code using the JS library that converts an encoded key back into the unencoded key/secret pair:

Dropbox.Util.atob(Dropbox.Util.encodeKey(encodedSecret).split('|')[1]).split('?')

That said, the security risk here is that someone else uses your app key and secret, which is arguably not the end of the world. Pretty much all client apps that use OAuth (in the browser, on the desktop, and on mobile platforms) suffer from this problem. For example, here's one article discussing Twitter's leaked consumer key/secret: https://news.ycombinator.com/item?id=5337099.

I think the most likely consequence of exposing your app key and secret is that someone will copy/paste your code and use your credentials. This would be misleading to users (who will see the name of your app when they authorize via OAuth), and if another app takes your key and uses it in a malicious app, your legitimate app might end up being collateral damage.