Menu
When an Android oauth 2.0 client application has its credentials (client ID and client Secret) hard-coded is very easy to decompile the application and retrieve the credentials.
What are the consequences in exposing the client ID and Secret?
870
API Key and Secret Key The Client ID is a public identifier of your application. The Client Secret is confidential and should only be used to authenticate your application and make requests to LinkedIn's APIs.
Perhaps the most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users' accounts. By stealing a valid code or token, the attacker may be able to access the victim's data.
The answer to your question is NO because the access token represents the authorization result itself and is intended to the pass through the application, the authorization server, and resource server while the client secret should be a secret known only to the application and the authorization server.
I know this won't be a good StackOverflow answer, but I don't feel able to explain it better than the Threat Model and Security Considerations (RFC 6819). So here is the paragraph about obtaining a Client Secret and its relative consequences.
Note that an Android app is a Public Client (a Native Application to be more specific) so, as you say, unable to keep confidential its credentials, but still able to protect Tokens and Authorization Code.
Also interesting for your case is an example about smartphones.
I know that RFCs aren't the most funny reading, but those are pretty clear.
100
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
