All,
I don't want to kick this subject to death, as there was a lengthy
thread on general OAuth vs. Basic auth -- I want to restrict this
question strictly to the scope of iPhone apps. Having pored over the
OAuth vs. Basic authentication process, I have a question, given the
following assumptions:
- The iPhone app is communicating directly with Twitter, i.e. not
through some third-party means.
- The iPhone app requires authentication at the beginning of each
application runtime (i.e. each time the app is run the user has to
type in their password).
- The password is cached only in memory, for the life of that specific
runtime (i.e. when the user quits the app, the password is released).
- The password is NEVER persisted anywhere, i.e. never stored to disk.
- All network communication with Twitter takes place over HTTPS.
If all of those things are true in an iPhone app, how is OAuth
superior in any way to basic authentication from a security
standpoint? Furthermore, given having to introduce a foreign UI
element and extra authentication steps over the web, could OAuth even
be considered inferior when evaluated as a whole as an authentication
means for the iPhone, when app branding, integration, and ease of use
are considered?
Mind you, the purpose of this post is not in any way to incite a
religious war or stir the pot, it is to definitively establish the
true pros and cons of each authentication means within the specific
use case of the iPhone only. Many of the other OAuth / Basic auth
threads are somewhat overridden with personally charged statements
that I'd rather ignore them.
Anyway, your constructive views are most appreciated.
Regards,
Brad
