Hey John, A couple responses.
On 20-Aug-09, at 9:03 PM, John Kristian wrote: > If an application turns out to be malicious, I don't know how you can > unauthorize it without unauthorizing other applications on the same > device. Does Android provide some way for one software module to > identify another, before cooperating with it? OAuth makes it easy to disable every single access token owned by a compromised consumer at once. You have the consumer key when you authorize the access token. You should store the consumer association with the access token. Then it's only one query to blow away all the compromised consumer's access tokens. > Is there some notion of > a module being signed by the organization responsible for it? If so, > you might create a module that mediates usage of the token and secret, > and can refuse usage by blacklisted applications. If I understand your question correctly, signing an application is irrelevant to the OAuth service provider, since you can fake any signature over the wire. It's only possible for the device's operating system to verify the signature because it has access to the application binary. Cheers, Sunir Shah, Chief Handshaker, FreshBooks (416) 481-6946 x224 http://www.freshbooks.com/team/sunir http://twitter.com/sunir --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
