When an Android oauth 2.0 client application has its credentials (client ID and client Secret) hard-coded is very easy to decompile the application and retrieve the credentials.
What are the consequences in exposing the client ID and Secret?
问题:
回答1:
I know this won't be a good StackOverflow answer, but I don't feel able to explain it better than the Threat Model and Security Considerations (RFC 6819). So here is the paragraph about obtaining a Client Secret and its relative consequences.
Note that an Android app is a Public Client (a Native Application to be more specific) so, as you say, unable to keep confidential its credentials, but still able to protect Tokens and Authorization Code.
Also interesting for your case is an example about smartphones.
I know that RFCs aren't the most funny reading, but those are pretty clear.
回答2:
According to this it is a security issue: http://software-security.sans.org/blog/2011/03/07/oauth-authorization-attacks-secure-implementation
In case the link stops working, here is what it says:
OAuth's dependency on browser-based authorization creates an inherit implementation problem for mobile or desktop applications that by default do not run in the User's browser. Moreover, from a pure security perspective, the main concern is when implementers store and obfuscate the key/secret combination in the Client application itself. This makes the key-rotation nearly impossible and enables unauthorized access to the decompiled source code or binary where the consumer secret is stored. For instance, to compromise the Client Credentials for Twitter's Client on Android, an attacker can simply disassemble the classes.dex with Android dissembler tool, dexdump:
dexdump - d classes.dex
The above goes into a lot more detail and is a pretty great read.
回答3:
Just a remark: the client ID is not a secret by design, so actually there is no need to protect it.
See section 2.2 in RFC 6749 ("The OAuth 2.0 Authorization Framework"):
The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.