Zhihong and everyone else, Thank you so much for the responses! It was really fun and interesting to hear all these comments.
> Jersey to make the OAuth-signed calls so we played around with > Jersey. It's pretty easy to plug OAuth in. Zhihong - Could I please ask you how you plugged OAuth into Jersey? I think I am convinced so I've decided to use OAuth for my security layer... Will definitely use the Objective-C binaries. Thanks everyone for your help, Mike On Jul 25, 12:52 pm, John Kristian <jmkrist...@gmail.com> wrote: > It sounds like the iPhone app will be an OAuth Consumer, and your app > server will be the OAuth Service Provider. That's a reasonable > application of OAuth. > > I've heard that it's difficult for an iPhone app to regain control > after launching the browser via which the user logs in to the service > provider. Perhaps an iPhone expert can help you with that. > > Can an iPhone app store its access token secret, in such a way that > other apps on the same iPhone can't read it? This is necessary to > defend against attacks by a malicious app, which an attacker might > lure the user into running. > > Assume that the consumer secret won't be a secret. It might as well > be an empty string or "s". The system will be vulnerable to this > attack: an attacker uses your software, hacks his iPhone or simulator > to extract the consumer secret, and implements another app that uses > it. The attacker lures a user into running his app. The user runs > it, logs in to your service provider and authorizes the software to > act on his behalf. Then the software does something malicious. As > far as I know, any software is vulnerable to such an attack if it can > be run on a platform controlled by an attacker (such as a mobile > device or personal computer). > > Nonetheless, OAuth provides some security. At least it assures that > the user has authorized a particular app on a particular iPhone. > > Use SSL to hide the token secrets when they're sent from app server to > iPhone (in response to OAuth/HTTP requests) and the user's password > when it's sent from user to app server (in an HTTP form post). > > When sending JSON to a server, you might want to defend against > tampering with the JSON, using a request body > hash.http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash... > > On Jul 23, 1:37 pm, mw_java <michaelwilso...@gmail.com> wrote: > > > I am relatively new to OAuth... I am creating an iPhone App which uses > > a REST Web Service (Jersey) to send JSON based data to a Java middle > > tier app server (JBoss). > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---