If it is your key and the app is for others to use then these would be available in the app if reverse engineered. Even if you encrypted them in the app and decrypted when using, you would need to include the key to decrypt in your app and therefore a determined malicious user could reverse engineer and decrypt also.

I did a bit of further research on this also, as it kind of bothered me.

My understanding then, is that the CONSUMER_KEY and the CONSUMER_SECRET, are yours and should be protected. I don't think distributing them in any app distributed to a user is a good idea.

Instead, they can be used to create a "bearer token" as part of a supporting back end web app. The bearer token could be requested by calling the appropriate Twitter Web API from inside your own web app, i.e. in a safe environment.

In this way, you would have three actors, your mobile app, your web app and the twitter services. The mobile app requests from your web app a bearer token. The web app requests a bearer token from twitter by making a server to server call over the twitter REST API and your token and secret remain yours. The bearer token is returned by twitter to your web app. Your web app can then store the bearer token in your web app session and act as a proxy for requests to twitter and ensure that even the bearer token remains secret.

Here are some references: http://wickedlysmart.com/twitternews-oauth/ https://dev.twitter.com/oauth/application-only http://hayageek.com/login-with-twitter/

Prevent decompiling with pro guard tool

Basically, To use a pro guard tool, In your project file called project.properties set following value:

proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt

this is a reference of pro guard tool http://developer.android.com/tools/help/proguard.html