Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I avoid baking my Twitter API consumer secret into my iPhone app binary?

I'd like to do OAuth for Twitter from an iPhone app. But doing so implies that I need to have my API secret alongside my API key baked into the application binary. This is obviously undesirable.

Facebook supports the notion of a session proxy to get around the parallel issue with their API.

Can I do something like this for Twitter?

like image 811
Ben Zotto Avatar asked Mar 07 '10 18:03

Ben Zotto


2 Answers

Short answer: No.

OAuth was created for and works really well for web applications. It's a square peg in a round hole for native applications. Specification 1.0a was supposed to make it more viable for native applications, but it does little to help.

As you pointed out, one of the main problems with it is that the consumer keys have to be stored in the application. Not a problem for web applications where access to the source is limited, but a big problem for native applications.

The other major problem has to do with it providing no additional security over standard login forms for native applications, but I won't get into that.

But since Twitter is forcing it on you if you want access to higher rate limits and your application name associated with Tweets, you have little choice.

The only way to avoid having the consumer key in your application code is to proxy all requests through your own server.

like image 169
chrissr Avatar answered Oct 19 '22 00:10

chrissr


Some put the key into a settings-type file that the application will read. Others store the key in a database file local to the app. Others store the key on their own server and the native app connects to the server to get the key and secret.

like image 1
Ryan Alford Avatar answered Oct 19 '22 02:10

Ryan Alford