Rather than assign a different consumer secret to each device, I suggest each device get a unique access token secret using OAuth; that is by asking the user to authenticate to each service provider and authorize the device. (The token secret and consumer secret are separate elements in OAuth.)
Yes, a determined user can find his own token secret. That's OK. The problem is allowing someone else (an attacker) to use the secret. To prevent that, applications should discourage the user from finding his token secret, and hide the secret from other, possibly malicious applications running on the same mobile device. The latter needs some infrastructure, to prevent applications from seeing each other's data. For a consumer copied to users' mobile devices (or desktops), a conventional consumer secret isn't very useful because it isn't really secret. Assume attackers will know it. You might as well publish it, as Google did. Look elsewhere for assurance that consumer software is trustworthy. I expect any healthy software market will have some way to help users trust the software they use. Yes, OAuth doesn't help fight piracy. (I mean the use of unauthorized copies or imitations of licensed software.) On Aug 20, 6:38 pm, Sunir Shah <su...@freshbooks.com> wrote: > Sorry, the original proposal as I understood it was that every > application gets a consumer secret for each mobile device. Presumably > you could arrange this by cooking the binary every download with a > different consumer secret. This is impossible in mobile environments > with centralized distribution (iTunes, AppWorld). However, in those > environments, this isn't really a problem. > > My first reaction was that there is no way to avoid piracy, since if > Pirate Alice downloaded the app, she could post it on the Internet and > anyone (i.e. Bob) could use it. However, I realize now that isn't the > case, since you can monitor the use of the consumer secret, and if one > secret seems overly used, you can destroy it disabling all pirates. > Hello Windows Genuine Advantage. > > However, I would add in response to your suggestion, you should not > rely on the premise that it is hard for the user to find their token > secret since it is so easy to retrieve with common reverse engineering > tools. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
