Interesting details, and see below:

On Mon, 14 Jun 2010 10:51:34 -0700
Zac Bowling <> wrote:

> In facebook's desktop authflow, rather then giving you an
> ...

> Basically when it comes to desktop apps, Facebook can't for sure tell
> the difference between my desktop app and illegitimate one.

Not only that, they (or anyone) cannot tell a legitimate desktop from an
illegitimate one. An illegitimate person can take a desktop with a
bunch of legitimate apps and do illegitimate things with the whole

And then we should not forget that a mobile phone is a the same as a
desktop, from the point of view of the web server. Phones are usually
not protected very well, both in terms of autheticating users and in
physical terms.

What is it that makes an app illegitimate? Basically that is
impersonates the user, and does things the user doesn't want done.

Unless of course the app does business on behalf of a third party with
both the user and the server (twitter, facebook, ...). Collecting data
is "doing business" in this sense. Then the app is an agent for that
third party.

But for a lot of apps, this is not the case, they act entirely as an
agent for the user. They are no different than browsers in this respect.

Bernd Stramm

Reply via email to