Leaked OAuth Client Secret (Foursquare)

This information is intended for developers of apps that have embedded the Foursquare OAuth client_secret in their apps.Knowledge of the secret is tied directly to special access to data that users might have granted to the application. The leaked client_secret can be exploited by an attacker to access user’s data that your application has been granted access to.

We recommend that you update your app to move all calls requiring a client_secret to a server-side application you control. You can find implementation details on Foursquare developer support page here, and the relevant Android guidance here.

Next steps
1. Update your app to not embed the client_secret.
2. Contact Foursquare if you require assistance here.
3. Sign in to your Developer Console and submit the updated version of your app. 
4. Check back after five hours - we’ll show a warning message if the app hasn’t been updated correctly. 

For other technical questions, you can post to Stack Overflow and use the tag “android-security”. Note that questions about Play policy should not be posted to Stack Overflow.

Note that apps must also comply with the Developer Distribution Agreement and Content Policy. If you feel you have received this vulnerability warning in error, contact our policy support team through the Google Play Developer Help Center.

Was this helpful?
How can we improve it?