How to protect my Consumer Key and Consumer Secret Key


#1

Hi Everyone,

I am currently in the process of developing a twitter application in C# and .NET. I read that I should not “reveal” my consumer secret, but I have not been able to come up with a good solution for this. Any disassembler can easily disassemble my app, or any app for that matter, and read the consumer secret. I have also tried using my App.config, but that simply writes an xml file next to the exe, so this solution is even less secure. I am assuming this is a problem for many people, so I have the following questions:

  1. What are you currently using to protect your consumer secret?
  2. What are the consequences of someone having access to my consumer secret? For my app and for me.
  3. What do the Twitter Developers recommend is the best solution for this?

Answers to any, or all, of these questions will be great appreciated.

Thanks!
Tom


#2

I asked the same question at https://dev.twitter.com/discussions/5196 and got no reply :frowning:


#3

I guess an answer to this is nonexistent =/


#4

This is a best-effort scenario with a sliding scale of importance. You’re responsible for what’s done with your application key ultimately, but you can’t get around having to distribute it in an application and making it vulnerable. Plan ahead for the possibility of the key being compromised – make it easy for you to release a new version and distribute new consumer keys when necessary. Use web-based or out-of-band mode OAuth and stay away from xAuth. Don’t distribute any access tokens with the application. Limit the opportunities for abusive behavior to be possible using your application itself.

If you follow those cautions, the worst things that can happen is your key is compromised and used to abuse the system in some way in your name. Then your consumer key would be reset to end the compromise and you would need to distribute your new consumer key again.


#5

so that they make OAuth 2.0 but twitter not upgrade to it till now:
in OAuth 2.0 you do not have to share your client secret at all, just client ID