On Sun, 30 May 2010 10:15:48 -0700
Jann Gobble <janngob...@gmail.com> wrote:
> Okay, please tell me you know that I can create an app with a
> UIWebView that will take that password you type in faster than
> It is NOT secure. This is my problem with oAuth. The work-arounds
> cause a false sense of security. oAuth was NEVER supposed to be used
> this way. If the user does not trust the app, they should definitely
> not trust the developer that puts a UIWebView in it -- it is too easy
> to do a man-in-the-middle. oAuth fits in well with webapps, not
> iPhone apps.
The user does trust the app, otherwise they would not be using it. The
problem with the scheme of using the app *and* a browser is that the
user has to trust *both* of them.
And if they don't trust the app, why are they using it to post their
It looks like the folks who designed this scheme were not thinking
about desktop/mobile apps, only about web based solutions. The rest is