Securing API Keys and Secrets
When using 3rd party services, traditionally we need to register our app in 3rd party service and get an API App ID (the app identifier) and also, most of the times, an App Secret (the app login key).
Usually the App ID is public (or can be treated as public) and can be stored in the app. In terms of security, should not be such big deal if someone access the App ID.
In terms of App Secret, here we should proceed with maximum careful. We should not store the secret in the code. It will became accessible to anyone through a reverse engineering process.
The best practice is to store the secret in our server and communicate with our server to retrieve any token (the secret or a token generated with the secret) our integrate with the 3rd party service always through our server-side.
Of course some services could require the secret only for some actions (write, access sensitive info, etc) and allow the user/app to access some endpoints only with the App ID.
Note that if someone access our App secret, the attack would only be in app authorisation and access and not the users credentials.
Online Resources:
https://developers.facebook.com/docs/facebook-login/security
https://developer.spotify.com/web-api/authorization-guide/
https://steelkiwi.com/blog/how-connect-spotify-sdk-your-project/
https://github.com/spotify/ios-sdk/issues/877
https://github.com/spotify/ios-sdk/issues/159
https://aaronparecki.com/oauth-2-simplified/
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security
https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10
https://security.stackexchange.com/questions/19989/facebook-api-app-secret-possible-misuse
https://medium.com/ios-os-x-development/keeping-secrets-out-of-git-in-your-ios-app-c01a357e824b