There’s no practical way to distribute the consumer key and secret without compromising a little bit of security in the process. You’re not strictly forbidden from distributing unprivileged keys & secrets (you must use a standard OAuth flow), but you also take a certain amount of responsibility for the API keys and the potential abuse that can arise from having them publicly available.
I recommend making it easy for you to distribute new releases to update API keys when it is necessary for them to be reset as the result of abuse. Make sure that your contact information associated with the application and account are complete & accurate.
Another alternative is omitting API keys and asking users installing the application to register an application on dev.twitter.com and then import their keys into the application.
