Using OAuth you have a consumer key and consumer secret to identify your application and the user provides an OAuth access token and secret to authenticate your application access to their account, say Twitter. Lets says you are developing a desktop application in Python that has to Twitter functionality that uses OAuth how is possible to keep your consumer key secret? Is it so bad if it's not keep secret? What are the alternatives here beside asking users to registers their own Twitter applications and use their own consumer key and secret.
-
Possibly relevant; http://stackoverflow.com/questions/4600897/how-to-keep-a-developer-key-secret-in-a-python-script-that-is-hosted-on-github – Sam Nicholls Oct 13 '13 at 16:51
1 Answers
No matter what programming language that you use, if the consumer secret is somewhere inside the binary, it can be retrieved.
If it is simply hardcoded in the source, a simple $ strings -a app.exe
will give you a list of strings in the binary. The consumer secret will be one of them.
Obfuscation might deter the casual snoop, but given enough time and resources, it can be extracted.
Is it so bad if it's not keep secret?
Someone in possession of your consumer key/secret pair can pose as your application, abuse whatever restrictions the twitter API has, which might result in your app being unusable for other users and eventually getting blacklisted[1]
What are the alternatives here beside asking users to registers their own Twitter > applications and use their own consumer key and secret.
Instead of the app itself making calls to the twitter API, you can have a proxy service that you send the oauth token/secret pair to and it makes the necessary API calls, returning data to the user. (As mentioned in the relevant stackoverflow thread)