On Sun, 30 May 2010 03:50:21 -0700 (PDT)
Rich <rhyl...@gmail.com> wrote:

> You don't have to go from app to browser, embed a UIWebView and then
> in
> 
> - (BOOL)webView:(UIWebView *)webView shouldStartLoadWithRequest:
> (NSURLRequest *)request navigationType:
> (UIWebViewNavigationType)navigationType {

I do the equivalent in Qt. It looks decent, and the user has the
impression that they are typing their password into the app. In fact
they are. 

So the user experience is pretty close to basic auth. I doubt that the
users who have been happily giving away their password left and right
really care who stores their password. Perhaps that situation will
improve with better user education.

An approach with a webview integrated into the app is more secure than
using an external browser - my app doesn't know what browser the user
has configured. Why would I assume that some unknown browser is secure
and doesn't grab their password? Many browsers have nice features for
exactly that. 

There are other glaring holes in the entire setup. Users get an email
PIN from places like twitpic, and once a black hat has that, they can
impersonate the user with embarassing pictures and tweets all day.

So I would advise users to not use any of the twitter environment and
surroundings for banking transactions. And if embarrassing pics
surface, at least users have plausible deniability.


Be safe,

Bernd

-- 

Bernd Stramm
<bernd.str...@gmail.com>

Reply via email to