On Sun, 30 May 2010 10:15:48 -0700
Jann Gobble <janngob...@gmail.com> wrote:

> Okay, please tell me you know that I can create an app with a
> UIWebView that will take that password you type in faster than
> anything.
> It is NOT secure.  This is my problem with oAuth.  The work-arounds
> cause a false sense of security.  oAuth was NEVER supposed to be used
> this way.  If the user does not trust the app, they should definitely
> not trust the developer that puts a UIWebView in it -- it is too easy
> to do a man-in-the-middle.  oAuth fits in well with webapps, not
> iPhone apps.

The user does trust the app, otherwise they would not be using it. The
problem with the scheme of using the app *and* a browser is that the
user has to trust *both* of them. 

And if they don't trust the app, why are they using it to post their

It looks like the folks who designed this scheme were not thinking
about desktop/mobile apps, only about web based solutions. The rest is
an afterthought.

Be Safe,


Bernd Stramm

Reply via email to