Hey Chris, > Popping up a browser control inside the app (on the iPhone > WebKit allows you to do this) appears to be a superior (but still > kinda weak) solution, with no loss in actual security.
The loss in security is that the user has no way of knowing if they're actually seeing the Twitter/consumer's site or whether it's a phishing attempt. They have no way of independently verifying that the connection is secure either. But, as Loren states, on a desktop app, you can fake/phish/etc. to your heart's delight and, as Cameron mentioned, there are _far_ worse things an installed desktop app can do. Not sure if pushing oAuth for desktop is actually a Good Thing (tm) or an exercise in purity for purity's sake, UX be damned. Aral
