This issue has been discussed at http://groups.google.com/group/oauth?hl=en
You might might find that informative.  Some highlights:

An OAuth Consumer that's deployed to users' desktops or mobile devices
can't keep a secret. One should assume its consumer key and consumer
secret will be known to attackers. Consequently, OAuth doesn't really
assure the user that he's authorizing a legitimate copy of the
Consumer software. (There are other ways to assure this; for example
the user might trust Apple's app store.)

Such a Consumer should avoid revealing a user's token secrets to other
users or other applications on the same platform. I've heard that the
iPhone Keychain is useful for this purpose. There's no need to hide
token secrets from their user (although the user should be discouraged
from revealing his token secrets to other users).

OAuth provides some value in this situation. It enables the Consumer
to avoid storing the user's password, and avoid transmitting the
password with each request to the Service Provider. (Instead, it
stores an access token secret, and signs each request.) It enables the
Service Provider to revoke permission for each Consumer individually,
without changing the password.

Reply via email to