TwitFactory, my twitter client based on xulrunner, is not far from the attic. Given the recent authentication change in Twitter and the obligation to use now OAuth, I don't see how I could keep the application based on easily readable JavaScript AND preserve the security of an associated OAuth key. Even if TwitFactory is not Open Source, all Open Source applications share the same concern. How can we write Open Source software if a key inside the code is readable, copyable, abusable?

Even if TwitFactory could use a binary component containing an encrypted key, fully free or open source software cannot do that.

On the same topic, I do recommend reading a 3-pages excellent article by Ryan Paul on Ars Technica.