Keep the credentials secret somehow, maybe by encrypting them in the client app?
This question doesn't really make sense to me. The server needs to perform the necessary authorization and data validation; it can't rely on a client app to do it. So if you're trying to use the client as your source of security and data integrity, it's not going to work.
A determined user can always go around the app to talk to the service directly. With my OAuth token I can use 'curl' to talk to Twitter or Facebook or Gmail or whatever.
—Jens