Considering that ALL HTTP request must be made from the user side, both consumer_key and consumer_secret should be right in user's RAM. So, I think every app could use xAuth by stealing other's key and secret. That confused me, because twitter says only authorized developer can use xAuth, others should use OAuth.
How twitter and 3rd-party developers keeps their keys private?