By its nature, the only way to combat this class of attack is security by obscurity - hence, it should be assumed that OAuth client tokens and client secrets do not provide true protection against unauthorized client applications.<p>Of course the tokens can be obfuscated, but at some point the tokens must be used in plain-text to sign the OAuth request, and on a device like an iPhone where complete control of execution flow and full address space access is possible (via kernel exploits / jailbreak and a debugger), it's literally impossible to prevent this attack.<p>Issuing unique per-device device tokens would be an interesting approach, but then a trusted side-band would be necessary to issue the tokens to the device, and a lot of the point of OAuth is moot.<p>OAuth is still quite useful for user authentication (as to steal per-user tokens requires access to the user's device anyway).
I get this at
Mon Aug 20 2012 23:00:37 GMT+0200<p>Not Found<p>The requested URL /ripping-oauth-tokens-or-other-secrets-out-of-tweetdeck-twitter-app-and-other-apps/ was not found on this server.