

Ask HN: Client Secret at Android - rajlalwani

Hello Fellow Hackers,<p>For OAuth token from server for Mobile app, we need to pass Client Secret from Android (and iOS) app which can be compromised easily. I was wondering if you can share best practises to keep Client ID and Client Secret from getting exposed during reverse engg or decompilation. 
Cheers,
Raj
======
viraptor
If the secret is valuable, someone will get it out. If it isn't, nobody will
look. It's probably enough to just xor the bytes with something to stop the
secret from showing up in `strings`, but otherwise... it's client app. You
can't control it.

(it's still going to be visible in captured traffic after stripping tls)

