What would be a secure way of storing client secrets used for authentication (webservices) in Xamarin/Android apps ?
Secure Storage, which interacts with Android Keystore, seems very useful for storing sensitive data acquired at runtime, such as access tokens, but not for sensitive data that needs to be immediately accessible.
EDIT: A practical example of client secrets would be, for instance, a static, universal client id and client secret used in OAuth2.0 authentication.
In General
Any secret present on the client side cannot reliably remain secret from the user. If data is only sent to the client side after authenticating and authorizing a valid user, then you are still trusting that user with the secrets.
There is no practical way to ship a secret as part of an application binary as it will be available to anyone who can access the binary which is basically everyone. Even in some encrypted form, the decryption mechanism will necessarily be present in the binary. Only providing the decryption key to an authenticated and authorized user is in most cases more complicated than just providing the secret data directly to an authorized user.
OAuth Specific
Proof Key for Code Exchange (PKCE) https://oauth.net/2/pkce/ was specifically designed to address the problems with client secrets in a mobile context. You no longer need the client secret on the mobile device when you use PKCE.
