According to Facebook oauth2 docs, client side flow doesn't require client secret parameter. Client side flow can be used on both native and mobile web apps.
However the Google native oauth2 flow does require client secret.
In this case client secret can be stolen by hacker using reverse engineering tools.
Can somebody clarify why it was done this way?
According to a post on Google Groups, the main reason is that they use the same libraries for server-side apps and native apps. It sounds like they don't consider client_secret to be sensitive in the context a native app, but they plan to phase it out for the installed app flow eventually.
From thread Is client_id/client_secret a joke for open source apps?:
We don't expect those secrets to stay secret—so far we're including them mostly so it's convenient to use with libraries today, and expect to stop requiring them at some point in the future.
While that might sound bad, keep in mind that OAuth was never intended to prevent malicious users from forging requests in the context of your mobile/desktop app.
If you're concerned about exposing client_secret, there is also the client-side flow described here As far as I can tell, the client-side flow doesn't require client_secret and would work fine from a desktop or mobile app.