I am developing an Android app that integrates with users OneDrive for Personal account and obtains a Files.Read scope.
I have registered the app on Microsoft Application Registration Portal. Got a Client ID for authenticating my app with OneDrive and I am using Microsoft Graph APIs.
Now I have to include that Client ID in my app which would be distributed through Google Play.
How safe is that? If anyone can obtain that Client ID, is it possible for them to temper with the user's data by sending fake requests using that Client ID?
Please note that this concern is specifically for Client ID to authenticate requests to OneDrive.
Also, do these answers holds good here ?
Answer 1: https://stackoverflow.com/a/37945932/1363471
Just a remark: the client ID is not a secret by design, so actually there is no need to protect it.
See section 2.2 in RFC 6749 ("The OAuth 2.0 Authorization Framework"):
The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication.
Answer 2: https://stackoverflow.com/a/14565249/1363471
I know this won't be a good StackOverflow answer, but I don't feel able to explain it better than the Threat Model and Security Considerations (RFC 6819). So here is the paragraph about obtaining a Client Secret and its relative consequences.
Note that an Android app is a Public Client (a Native Application to be more specific) so, as you say, unable to keep confidential its credentials, but still able to protect Tokens and Authorization Code.
