On Fri, 3 Sep 2010 11:29:22 -0700 (PDT) Ken <k...@cimas.ch> wrote: > What is the risk of storing a token? It can't be used outside your > app.
The token being confined to use "within" an app is very insecure when the app runs on an end-user device. There soon will be a billion smart phones, and many of those will run twitter apps. Then suppose user Alice finds out user Bob's token (perhaps by borrowing or stealing a phone), and publishes it. User Bob now has no way to retire the token, short of disabling the app that runs on millions of phones. Or Bob can get a new twitter user name. That's not what is normally called security. OAuth as currently done with twitter only works when the "app" runs on a small number of secure servers. -- Bernd Stramm bernd.str...@gmail.com -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
