Hi Darren, On 2 Feb 2009, at 09:40, Darren Bounds wrote:
> Recently my colleague and I began looking a little closer at the > iPhone SDK in an effort to research how to best incorporate an OAuth > authorization model. Naturally UIWebView was front and center as it > currently provides the only method (at least that I'm aware of) for an > application to transition between itself and the browser without > requiring the user to re-launch the application. While at a glance, > this appeared ideal for OAuth, I became concerned when it was apparent > that all interaction, including HTTP request/response data, would be > fully accessible to the parent application via UIWebView. > I'm curious if the group has any thoughts or greater insight into > UIWebView security model and its impact on user-agent trust and > privacy on the iPhone. Hopefully I've missed something. With Fire Eagle, we came to the same wary conclusion and our current response is to say ‘Don't use UIWebViews (or equivalent) please’. However, there's a little bit more to the iPhone OS ux that you've not covered here, which alleviates the user manually relaunching apps. In short, iPhone OS2 allows you to register application protocols (such as ‘pownce://’) and use that to callback from the web app. The result is that you app gets relaunched gracefully after auth is completed, without any manual intervention. We documented all of our Fire Eagle related advice, and tried to cover the basics of creating app-protocols on major platforms: http://fireeagle.yahoo.net/developer/documentation/oauth_best_practice Cheers, Ben --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
