Skip to main content
Software Engineering

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

4
  • Are you sure that you know how OAuth works with respect to the client secret? I think it's reasonable to include it, with some obfuscation methods, in an app binary. I would not, however, rely on the client credentials grant type for a mobile app. Commented Jul 10, 2017 at 22:08
  • 1
    @RibaldEddie Yes I am sure but you are free to cross-check my information. security by obscurity is not security. You're not keeping the secret safe through obfuscation. To understand whether or not it's reasonable to include it you have to make your own assessment, it's your risk calculation to make, but I would personally never include it in any way or form. See also the answer Jacob Hull referred to. Commented Jul 11, 2017 at 7:46
  • Not everything that is a "secret key" is the same. A secret API key is not the same as a "client secret" in the context of OAuth. The alternative is no or a blank secret and in the context of an OAuth client that is a native app, I would say it's better to have a random value as a secret than none at all. The only caveat is to be aware of the different grant types and to ensure that you have the ability to limit the authorized grant types on a per client basis and not to allow the use of any grant type such that the client key and secret are exclusively sufficient for gaining access. Commented Jul 12, 2017 at 21:35
  • 1
    I think it's pretty clear that a native mobile app available through an App Store is a legitimate use of a secret and Id. In combination with a password grant it seems very reasonable. Commented Jul 13, 2017 at 2:27