Recently my colleague and I began looking a little closer at the iPhone SDK in an effort to research how to best incorporate an OAuth authorization model. Naturally UIWebView was front and center as it currently provides the only method (at least that I'm aware of) for an application to transition between itself and the browser without requiring the user to re-launch the application. While at a glance, this appeared ideal for OAuth, I became concerned when it was apparent that all interaction, including HTTP request/response data, would be fully accessible to the parent application via UIWebView.
>From my perspective, one of the greatest architectural features of the OAuth and OpenID protocols is the complete absence of any requirement the user place trust in the application they're authorizing or authenticating to. This doesn't appear to be possible through UIWebView as the application has the ability to capture any and all interaction, regardless of whether SSL is employed. I'm curious if the group has any thoughts or greater insight into UIWebView security model and its impact on user-agent trust and privacy on the iPhone. Hopefully I've missed something. References: UIWebView https://developer.apple.com/iphone/library/documentation/UIKit/Reference/UIWebView_Class/Reference/Reference.html#//apple_ref/doc/uid/TP40006950-CH3-SW11 UIWebViewDelegate https://developer.apple.com/iphone/library/documentation/UIKit/Reference/UIWebViewDelegate_Protocol/Reference/Reference.html NSURLRequest https://developer.apple.com/iphone/library/documentation/Cocoa/Reference/Foundation/Classes/NSURLRequest_Class/Reference/Reference.html#//apple_ref/doc/c_ref/NSURLRequest Thanks, Darren -- darren bounds [email protected] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
