Well it doesn’t actually explain why. It says that “nefarious spies to potentially see your top-secret information”. This sounds bad, of course, but what is the exact scenario that can allow this? What threat does it actually pose that can’t be done by other vectors?
Yes, if client secret is embedded in anything that is accessible to an attacker, it should be considered compromised. And if an attacker has the secret they can potentially create a client that impersonate the original app. But how does it compromise the end user’s information?
Client ID/Secret is used to authenticate a client to an authorization server. It’s needed when knowing which client makes the request is important to the auth server. Stolen client secret can fool the auth server but not the end user (because the user’s consent is required, they know which app they run and see which permissions they give). This is no different than any other public API used by mobile or desktop app, these are considered “public clients” and no assumptions are made about their authenticity.
This is by no means a criticism of EVEMon’s dev’s choice (many thanks for picking it up and keeping it live!). I understand the concern of sharing anything that is considered “secret” and this is, of course, the choice the developer whether to include this “secret” in their app (and there is the question of liability), but I don’t think there is a real risk to the end user.
And it is rather shortsighted by CCP to insist on “client secret” and introducing this unnecessary dilemma to app devs.