We are developing a native mobile app in iOS and would like to allow users to authenticate using Twitter. We only want to authenticate and get a user access token we use with our own API for identity. We do not need to send or read tweets, etc. We are following these steps to do so: https://dev.twitter.com/twitterkit/ios/log-in-with-twitter
Twitter’s guidance says consumer secrets “should be considered as sensitive as passwords, and must not be shared or distributed to untrusted parties”:
https://dev.twitter.com/oauth/application-only
However, the Twitter Kit installation guide has us store consumer secret in clear text in the app, where it would be distributed to the App Store and could be decompiled or read with a hex editor: https://dev.twitter.com/twitterkit/ios/installation
I do see where the Best Practices guide suggests using bcrypt, but details are light, and then where would one store those keys safely? https://dev.twitter.com/basics/security-best-practices
Can someone explain either why I’m mistaken and storing the consumer secret in code is acceptable, or steps for modifying the installation sample code to make it secure in this use case?
Thanks!
