On Sun, 30 May 2010 10:15:48 -0700 Jann Gobble <janngob...@gmail.com> wrote:
> Okay, please tell me you know that I can create an app with a > UIWebView that will take that password you type in faster than > anything. > > It is NOT secure. This is my problem with oAuth. The work-arounds > cause a false sense of security. oAuth was NEVER supposed to be used > this way. If the user does not trust the app, they should definitely > not trust the developer that puts a UIWebView in it -- it is too easy > to do a man-in-the-middle. oAuth fits in well with webapps, not > iPhone apps. The user does trust the app, otherwise they would not be using it. The problem with the scheme of using the app *and* a browser is that the user has to trust *both* of them. And if they don't trust the app, why are they using it to post their tweets? It looks like the folks who designed this scheme were not thinking about desktop/mobile apps, only about web based solutions. The rest is an afterthought. Be Safe, Bernd -- Bernd Stramm <bernd.str...@gmail.com>