Secret keys should not be EVER on the client app!
Keep the “Consumer Secret” a secret. This key should never be human-readable in your application.
Unfortunately it is the nature of OAuth 1.0 that both keys are needed to sign requests. There are a few options to structure your app more securely though:
- You could dynamically load your keys from a web server under your control, with access control appropriate for your application.
- Where available, you could store the keys in an encrypted block in your app, not in code, making then impossible to scrape.
- You can enable “callback locking” for your application, so that compromised keys cannot be used to authorise users against other domains.
Where available, you could store the keys in an encrypted block in your app, not in code, making then impossible to scrape.
Even with this, for them to be used, they need to be loaded in memory in plain text, so theoretically, someone can still get to them.