xAuth-enabled app: where to store the consumer secret?


#1

Hi folks,

Our mobile application has been approved for xAuth. We are trying to find the most reasonable place to store our application’s consumer key and consumer secret. In our current design, the client must be aware of the consumer key and consumer secret so that it can complete the xAuth flow with the user’s Twitter username and password:
– If they are hardcoded into the application, we must ship a new version each time the consumer key and consumer secret changes, and released versions will no longer be able to complete the xAuth flow. A motivated attacker can just extract the new keys from the new application release anyway.
– If they are pulled from the server, an attacker can determine how the client is pulling the credentials (by attaching a debugger or by watching network traffic) and determine our consumer key & consumer secret whenever he likes.

The alternative is to send the user’s Twitter username and password to the server and have the server complete the xAuth flow. This prevents users from learning the consumer key and consumer secret, but it involves transmitting their Twitter credentials to our service (over a secure channel); we’re not sure if this complies with Twitter’s policies.

Given these issues, what is the recommended way to store our consumer key & consumer secret for our xAuth-enabled mobile application?

Thanks,
Alex


#2

Sending the username and password upstream to your own servers would not be permissible as you’ve surmised.

Essentially this is a case of best-effort – you put your best effort into keeping the consumer key and secret secure given the constraints of the environment you’re working with. Storing directly within the application is usually the most appropriate and feasible – by deferring the key storage to a remote server you’d just be creating another potential security problem (between your application and your servers).


#3

Thank you Taylor for your quick response!