How do I prevent abuse of client secret in Java client-side only program?

Question

I have a client-only Java program that makes calls to Github's API servers. As you may know, Github has an API access limit of 60 calls per hour for unauthenticated users. I want to use a client key and client secret to up this limit to 5000 calls per hour, but how can I prevent others who are using my client side app from decompiling the code and obtaining my client secret?

Note that the app needs access to the actual client secret and key, but I need them to be hidden from the user.

[This is relevant and useful too](http://stackoverflow.com/questions/442862/how-can-i-protect-mysql-username-and-password-from-decompiling?rq=1) — durron597, Aug 05 '15 at 18:28

score 0 · Answer 1 · answered Aug 05 '15 at 18:52

I solved it by using a Github personal access key with the only privilege being accessing public repositories. One more thing: Does anyone know whether selecting a checkbox in the personal key scopes menu enables or disables access to that area? For example, if private repos is ticked, does that mean I can or can't access them?

How do I prevent abuse of client secret in Java client-side only program?

1 Answers1