Why is storing consumer secret in IOS app acceptable?



We are developing a native mobile app in iOS and would like to allow users to authenticate using Twitter. We only want to authenticate and get a user access token we use with our own API for identity. We do not need to send or read tweets, etc. We are following these steps to do so: https://dev.twitter.com/twitterkit/ios/log-in-with-twitter

Twitter’s guidance says consumer secrets “should be considered as sensitive as passwords, and must not be shared or distributed to untrusted parties”:

However, the Twitter Kit installation guide has us store consumer secret in clear text in the app, where it would be distributed to the App Store and could be decompiled or read with a hex editor: https://dev.twitter.com/twitterkit/ios/installation

I do see where the Best Practices guide suggests using bcrypt, but details are light, and then where would one store those keys safely? https://dev.twitter.com/basics/security-best-practices

Can someone explain either why I’m mistaken and storing the consumer secret in code is acceptable, or steps for modifying the installation sample code to make it secure in this use case?



Posted previously here: TwitterKit v3 - Embedding consumer secret seems insecure

I think there might be one or a few similar posts on top of this.


Can someone answer the question? I have the same trouble.