Yes. This is also how Twitter's authentication works. Twitter say that client developers should protect the secret in the binary by reasonable means, but the key from Twitter's own iOS and Android apps have already been extracted. (on a side note, why haven't any client devs who ran into token limited tries using the official keys yet? will they be taken out of an app store?)
> why haven't any client devs who ran into token limited tries using the official keys yet? will they be taken out of an app store?
Probably, just like AirFoil Speakers Touch has been kicked out for using some Apple private key extracted from the Airport firmware to act as an AirpLay receiver.
The APP credentials are for each app that integrates this Dropbox sync. The app keeps those to itself (probably hard-coded in the binary) and using them, it requests access to a Dropbox account.
Yep. And the same goes for iOS, too. I've taken a peek at the official Dropbox iOS app's API key and secret in the past just for fun, though I didn't go so far as to post them on Github.
There isn't really a way around it other than implementing authentication in a remote server. In that scenario, the app doesn't authenticate directly with the service, but with a private server. This way you can, for example, authenticate your users and create sessions before they can access the Dropbox API.
It can still be abused, but at least you can know who did it.
mDbxAcctMgr = DbxAccountManager.getInstance(getApplicationContext(), APP_KEY, APP_SECRET);
So anyone with some basic Android knowledge will be able to extract my applications key and secret?