Oauth 2.0: client id and client secret exposed, is it a security issue?

Question

When an Android oauth 2.0 client application has its credentials (client ID and client Secret) hard-coded is very easy to decompile the application and retrieve the c

Answer 1

I know this won't be a good StackOverflow answer, but I don't feel able to explain it better than the Threat Model and Security Considerations (RFC 6819). So here is the paragraph about obtaining a Client Secret and its relative consequences.

Note that an Android app is a Public Client (a Native Application to be more specific) so, as you say, unable to keep confidential its credentials, but still able to protect Tokens and Authorization Code.

Also interesting for your case is an example about smartphones.

I know that RFCs aren't the most funny reading, but those are pretty clear.