Oauth 2.0: client id and client secret exposed, is it a security issue?

Question

When an Android oauth 2.0 client application has its credentials (client ID and client Secret) hard-coded is very easy to decompile the application and retrieve the c

Answer 1

Just a remark: the client ID is not a secret by design, so actually there is no need to protect it.

See section 2.2 in RFC 6749 ("The OAuth 2.0 Authorization Framework"):

The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.