It sounds like the iPhone app will be an OAuth Consumer, and your app server will be the OAuth Service Provider. That's a reasonable application of OAuth.
I've heard that it's difficult for an iPhone app to regain control after launching the browser via which the user logs in to the service provider. Perhaps an iPhone expert can help you with that. Can an iPhone app store its access token secret, in such a way that other apps on the same iPhone can't read it? This is necessary to defend against attacks by a malicious app, which an attacker might lure the user into running. Assume that the consumer secret won't be a secret. It might as well be an empty string or "s". The system will be vulnerable to this attack: an attacker uses your software, hacks his iPhone or simulator to extract the consumer secret, and implements another app that uses it. The attacker lures a user into running his app. The user runs it, logs in to your service provider and authorizes the software to act on his behalf. Then the software does something malicious. As far as I know, any software is vulnerable to such an attack if it can be run on a platform controlled by an attacker (such as a mobile device or personal computer). Nonetheless, OAuth provides some security. At least it assures that the user has authorized a particular app on a particular iPhone. Use SSL to hide the token secrets when they're sent from app server to iPhone (in response to OAuth/HTTP requests) and the user's password when it's sent from user to app server (in an HTTP form post). When sending JSON to a server, you might want to defend against tampering with the JSON, using a request body hash. http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html On Jul 23, 1:37 pm, mw_java <[email protected]> wrote: > I am relatively new to OAuth... I am creating an iPhone App which uses > a REST Web Service (Jersey) to send JSON based data to a Java middle > tier app server (JBoss). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
