I wonder if Twitter could provide developers with an URL for dynamically generating additional consumer tokens for their applications. When the user installs a new application it will contact the developer's server to download its own consumer key/secret. The developer's server will use its "master" consumer key/secret to post to the Twitter URL to fetch a new consumer key/secret. The consumer pair will then be sent to the application via a secure channel (HTTPS?) to prevent man in the middle attacks. The application will then use this new consumer pair to perform all signing of requests. Another option is to package the dynamically generated consumer pair in the application download package. Each new download will have its own unique consumer pair ready for use once the user has downloaded the application.
This still requires the developer maintain a server to perform the consumer pair generation, but it does keep the "master" pair secure and each application gets its own pair. But applications that are willing to make this trade off can keep the UX good, control what application instances can authorize on the application's behalf, and the "master" pair is never shared. You can always still distribute the "master" pair with each application if these security gains are not that important to you. Or you can require your users to generate their own consumer pair if UX is not much of an issue (example: distributed server applications) where an advance users is at the wheel and won't have issues figuring this out. Josh