问题:

I'm developing an installed application that accesses the google-api via OAuth2. There some security problems I currently know no real solution for. Doesn't matter how hard I obfuscate my client-secret a determined person can retrieve and use it. Two problems arise from this:

1. somebody uses my client secret to modify user data:

   so far it seems that an installed application needs to be authorized again when no refresh token is used. However I'm not sure if this is part of the client api I use or if it is ensured on server side. If it is ensured on server side I'm happy with it :)

2. somebody uses my client secret to exceed my access-limit:

   Ok this is google-specific. As long as I don't pay I have a free quota and it can be exhausted. So somebody can use my client secret to exhaust the quota and no other client will be able to access it's data :( I cannot think of a real solution for this besides never ever upgrading the service to paid level.

The only secure solution that comes to my mind would be to have a webserver as gateway that interacts with google and transfers the access token to the client. Or maybe it even keeps the tokens and just transfers the requested data(after user authentification (openid...whatever))

As conclusion: I don't have a webserver I could use as gateway. Therefore as long as the user data is secured (no one can access it with a stolen client-secret without the user granting access for new tokens) I can go ahead with the free quota limit and see how fast it is exceeded and never upgrade it.

I would be glad for any comments on this topic. Thanks!