Ethan, do you know links to these guidelines? In particular extra measures to deal with the consumer secret vulnerability? Do I just encrypt the consumer secret on the client side as an extra means against casual decompilation?
As a side note, Facebook doesn't use OAuth (but it is similar). They have a means to handle this in their protocol using a temporary secret provided by their servers. I don't know how secure this would be, but they seem to have acknowledged the issue and have a dual system that provides normal consumer secrets and temporary ones. On Oct 30, 8:09 am, Ethan Jewett <esjew...@gmail.com> wrote: > Hi, > > In an installed client app it is just not a good idea to assume that > the consumer secret is actually secret or to rely on this in the way > you build your server. There is no way to ensure this secrecy and it > is not an issue specific to OAuth. The token secret is a bit of a > better bet since it is unique per client. > > I believe both Google and Yahoo have guidelines for people building > installed clients using OAuth, so recommend you take a look at those > guidelines when considering how to do your own implementation. > > Ethan > > On Thu, Oct 29, 2009 at 6:06 PM, jrojas78 <ricosre...@gmail.com> wrote: > > > Hello, > > > How does OAuth deal with client apps that can be "decompiled"? If I > > want to build a client app that uses an OAuth service like Twitter how > > do I protect my secret key? All it takes one person to hack the > > client and share the secret key and then my app would be vulnerable to > > spoofing. The best approach would be to never share the secret key on > > the client. > > > How can OAuth deal with this? > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
