Our mobile application has been approved for xAuth. We are trying to find the most reasonable place to store our application’s consumer key and consumer secret. In our current design, the client must be aware of the consumer key and consumer secret so that it can complete the xAuth flow with the user’s Twitter username and password:
– If they are hardcoded into the application, we must ship a new version each time the consumer key and consumer secret changes, and released versions will no longer be able to complete the xAuth flow. A motivated attacker can just extract the new keys from the new application release anyway.
– If they are pulled from the server, an attacker can determine how the client is pulling the credentials (by attaching a debugger or by watching network traffic) and determine our consumer key & consumer secret whenever he likes.
The alternative is to send the user’s Twitter username and password to the server and have the server complete the xAuth flow. This prevents users from learning the consumer key and consumer secret, but it involves transmitting their Twitter credentials to our service (over a secure channel); we’re not sure if this complies with Twitter’s policies.
Given these issues, what is the recommended way to store our consumer key & consumer secret for our xAuth-enabled mobile application?