Usually the app_id is public. It is not kept secret. UUID, email address, uuid, or an integer should suffice.
For the app secret, any quality PRNG will suffice. The MD5/hashing of random data will simply give you another random token.
Your operating system is the best source for random numbers. Every language has a different API to get at it.
The feasibility of cracking the secret is a function of the length of the key. A 256 bit key is considered uncrackable under the right conditions.
For python, this is the code to get the secret:
import os
import base64
key_bytes = os.urandom(256)
# If you need to pass it in a URL, you could base64 it,
# or convert it to hex
key_b64 = base64.b64encode(key_bytes)
key_hex = ''.join( [hex(x) for x in key_bytes])
print 'b64', key_b64
print 'hex', key_hex
outputs:
b64 ypPp16psb1mBrlS5BE01kcwB+tjwOdDbu3K2Ix0cYz5KxCX42PoRR5a2cpwZGhULeW5BEFenwg5G55m8czU+gF8yS5wz7BfCaT8Z15pgarUM+rrPl/tbYKu3Hc0FE8/5jczZKwFlV37Etq/Hn2gT/9njXn1YIh+NlLBec6Yp3Y6dbSD6zqHv60qPZSUqmVRL9UrbJBAa38gCgMjqj79Qe/pMBpH7tMAKrLelmOBedklme9kZzAJrEpFwtp65K8h3RLSDXx0qVNjrToJquaDFOKytwlwkYtV3ANQ/bxLgEN8zXfGalXsO/6d/ZDi03Kjlj36rSL2fcCG0w5oiYTitMQ==
hex 3FC5E75CA3FD62BB42D2EDD3F14B8D247B241B1E9281EC629A5C5271EB65F3F9F1C9547AF5A5715636461C00B7B960CCC78295A31C6F9C1C5DC0ECEECA5278B56F555E3E635541C2E7CC946B73FB2B89EF9E34C0797D6A8452B41A8D0050A856FFA9519FB7E9381218647E18189A3167E3C1A68D545C0868C0B87B69DA69D23EE2A660E9D4A1281D15C57D67F2D2C67A10574E7AEE906CA112E3FF4FD0C087D9F354ACC3ECD5E6A86B171F61B5644E3D630F2C66C25F3BA6DC30A44660C253B4328EB2228759A3194A0A1FAB9BDC6E95051099E3EFA9EC063C6A18F0B4956EBC2F39E19A2AE665A699A10EA91C20DCBFED6FAAB1DAE554469C877979298591ED