I'm developing a mobile app (using Flutter) which has to communicate with a backend secured with OAuth.
The backend is not accessed in the context of a user so authorization or password grant flow are not the case here - it's client credentials flow.
I read numerous posts and opinions and I still can't come up with a solution how to securely inject the client_id
and client_secret
into the app without hardcoding them somehow, which risks those credentials from being discovered from someone who might analyze the binary.
Even solutions such as using the secure storage of the phone still seem to require some code which itself requires the hardcoding of the values. I also read that environment variables are also not safe.
So my questions stands - how can I securely persist credentials specifically for client credentials OAuth flow in a mobile app so that they are not discoverable by malicious programmers?