[GH-ISSUE #395] How to hide consumer_secret in app?

kerem commented

2026-03-03 16:47:04 +03:00

Owner

Copy link

Originally created by @trondkr on GitHub (Jul 21, 2017).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/395

Description:

How to hide consumer_secret in app?

OAuth Provider (Twitter, Github, ..):

Twitter, Google...

OAuth Version:

Version 1
[x ] Version 2

OS (Please fill the version) :

[] iOS :
[x ] OSX :
TVOS :
WatchOS :

Installation method:

Carthage
[x ] CocoaPods
Manually

Library version:

head
v1.0.0
v0.6
other: (Please fill in the version you are using.)

Xcode version:

[x ] 8.0 (Swift 3.0)
8.0 (Swift 2.3)
7.3.1
other: (Please fill in the version you are using.)
objective c
I understand that my question is not an issue but I still hope you can bear with me. I can not figure out how most people hide their consumer_secret (for Twitter, Google etc.) in an app (macos, iOS)? I have asked a question on SO without any answers and I was hoping the OAuthSwift community might help. Do developers ship the Twitter, Google, etc. consumer_secret as a string or obfuscated string in their apps these days or is there a trick to this? I understand that storing the secret on a server may be the best, but using Swift I don't see how even that can be done securely as I would still have to retrieve the secret and add it to my OAuthSwift request which could then be intercepted and discovered. Any suggestions are very appreciated. Thank you. T

Originally created by @trondkr on GitHub (Jul 21, 2017). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/395 ### Description: How to hide consumer_secret in app? ### OAuth Provider (Twitter, Github, ..): Twitter, Google... ### OAuth Version: - [ ] Version 1 - [x ] Version 2 ### OS (Please fill the version) : - [] iOS : - [x ] OSX : - [ ] TVOS : - [ ] WatchOS : ### Installation method: - [ ] Carthage - [x ] CocoaPods - [ ] Manually ### Library version: - [x] head - [ ] v1.0.0 - [ ] v0.6 - [ ] other: (Please fill in the version you are using.) ### Xcode version: - [x ] 8.0 (Swift 3.0) - [ ] 8.0 (Swift 2.3) - [ ] 7.3.1 - [ ] other: (Please fill in the version you are using.) - [ ] objective c I understand that my question is not an issue but I still hope you can bear with me. I can not figure out how most people hide their consumer_secret (for Twitter, Google etc.) in an app (macos, iOS)? I have asked a question on [SO](https://stackoverflow.com/questions/45065984/how-to-keep-client-secret-for-oauth2-login-to-parse-server-secure) without any answers and I was hoping the OAuthSwift community might help. Do developers ship the Twitter, Google, etc. consumer_secret as a string or obfuscated string in their apps these days or is there a trick to this? I understand that storing the secret on a server may be the best, but using Swift I don't see how even that can be done securely as I would still have to retrieve the secret and add it to my OAuthSwift request which could then be intercepted and discovered. Any suggestions are very appreciated. Thank you. T

kerem

2026-03-03 16:47:04 +03:00

closed this issue
added the
question
label

kerem commented

2026-03-03 16:47:06 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Jul 21, 2017):

say how I do it could help someone to find how he can revert it but I will take the risk

I use crypto swift to encode it and keep in my code only this encrypted value and the key to decrypt
So the problem is reported to this two elements, If someone find the key, the crypted value and the method used, he can decrypt it, but this add so much fun for the hacker
You can the split this values in multiple variables in different files, reverse it, add multiple encryptions etc...

@phimage commented on GitHub (Jul 21, 2017): say how I do it could help someone to find how he can revert it but I will take the risk I use crypto swift to encode it and keep in my code only this encrypted value and the key to decrypt So the problem is reported to this two elements, If someone find the key, the crypted value and the method used, he can decrypt it, but this add so much fun for the hacker You can the split this values in multiple variables in different files, reverse it, add multiple encryptions etc...

kerem commented

2026-03-03 16:47:06 +03:00

Author

Owner

Copy link

@trondkr commented on GitHub (Jul 22, 2017):

It seems like this is the approach I will take myself. I am surprised it is so difficult to find information about beast approaches for this, but perhaps developers want their solution hidden as much as possible. I appreciate you taking the time to answer. Thanks. T

@trondkr commented on GitHub (Jul 22, 2017): It seems like this is the approach I will take myself. I am surprised it is so difficult to find information about beast approaches for this, but perhaps developers want their solution hidden as much as possible. I appreciate you taking the time to answer. Thanks. T

kerem referenced this issue

2026-03-03 16:49:34 +03:00

[PR #251] [CLOSED] remove DevelopmentTeam in project file #583

No Branch/Tag specified