When an Android oauth 2.0 client application has client ID and client Secret hard-coded in it. it is very easy to decompile the application and retrieve the credentials. Then What is the use of providing these credentials to oauth server.
It is not recommended to hard-code client_id and client_secret into a native app i.e. to use what is called a "confidential client" in a mobile app scenario exactly because the client_secret cannot be kept a secret.
A native app would typically be a "public client" to the Authorization Server i.e. one that does not have a client_secret. Security would come from the fact that a unique redirect URI is registered and additional OAuth features like PKCE (https://tools.ietf.org/html/rfc7636) are applied.
For general recommendations on using OAuth 2.0 for native apps see: https://tools.ietf.org/html/draft-ietf-oauth-native-apps, especially the security considerations at: https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10#section-8
来源:https://stackoverflow.com/questions/44044528/how-to-secure-oauth-2-0-client-id-and-client-secret