> << if you choose to run a rogue executable on your computer, it isn't the
> computer's fault for running it. It is the user's fault for running the
> executable. >>
Exactly. It is the users fault. If all third party apps are forced to
implement OAuth it would save users from this fault to some extent.
> <<NO. With OAuth you are not keying in your password with in the app.
> No? How is it then that you initially get logged into Twitter -- yes, it
> might be a Twitter web page, but it is still hosted within your app, right?
> So whose to say the web page you are viewing is *really* an OAuth page, if
> you aren't going to trust the app? OAuth doesn't protect from that. >>
I was actually referring to Desktop PIN based apps(the desktop typically
invokes a browser and control is passed to browser . Yes there is a hit on
user experience ). I am not aware of UIWebView and have no idea of what it
does. But if the credentials are passed through consumer then it is
CERTAINLY NOT OAuth. It is as bad as using BASIC Auth.
> <<You ignored one of my assumptions, which is that passwords aren't stored
> at all. If basic authentication is used, and passwords are never stored, it
> doesn't matter if someone steals your iPhone, they cannot get access to your
> Twitter account. *With OAuth, they would still have a degree of access to
> it, unless I'm missing something*.>>
Not necessarily. Its up to the application. Applications typically provide
an option of storing/clearing passwords/tokens. You cannot assume that
only Oauth apps always store tokens.All apps store password/tokens as they
do not want the users to go through the login process again. If your iphone
gets stolen and if your oauth based app stores the token yes there is a
degree of access to twitter but atleast you have the option of revoking the
access.But it is not the same case with BASIC auth (and what if you are
using same password for all your mail/shopping/bank accounts?)