Thanks for the tips, Andrew!

Your suggestions to Apple on secret management seems like a great idea.
We'll keep that on our radar.


On Fri, Jun 25, 2010 at 2:57 PM, Andrew W. Donoho

> On Jun 25, 2010, at 15:42 , Taylor Singletary wrote:
> > However, we'd love to collect together specific implementation stories of
> developers who've successfully made the transition and highlight them here.
> Taylor et. al.,
>        As someone with his own custom iPhone REST stack, I scaled the
> OAuth/xAuth wall. In my view, everyone made this transition seem much
> tougher than it really is. Here's my advice:
> 0) If you don't have a REST stack, git one! There are many out there. I
> started with one. (Very little of it remains in my apps but that is another
> matter. It got me started.)
> 1) Your http request tends to change in exactly one place -- setting your
> authorization header. Don't freak out about changing your code base. I added
> 3 methods to my stack: create a signature string, sign the signature string
> and create the OAuth header. I changed one method to sort and URL encode my
> parameters. In all, this is a pretty minimal change. I cribbed much of this
> from other open source implementations.
> 1a) Calculating a signature string is not as daunting as it looks. Some
> pseudo code would have helped. Twitter's recent documentation helped.
> 1b) Calculating HMAC-SHA1 signature is simple too. If you use the common
> crypto library (CDSA derived), it takes 6 lines.
> 1c) What wasn't too clear was how the xAuth process interacted with your
> tokens. (Yes, I knew they were missing. What wasn't apparent was that I had
> to leave the conjoining '&' in the signature secret.)
> 2) The WWDC slides sum up most of the issues but leave out the supporting
> nitty gritty code.
>        Finally, we all know that xAuth has a huge security hole -- the
> embedded consumer secret in the client app. I have a feature request into
> Apple to allow the passing of encrypted secrets to native applications
> through App Store binary code. I have also posted it to OpenRadar at this
> link: <>. If members of this community
> agree that we need a solution to this problem, then please consider filing
> enhancement requests with Apple via bugreporter and reference my request.
> (If someone else has a similar request, I'll be happy to reference their
> request in my communications with Apple.)
> Anon,
> Andrew
> ____________________________________
> Andrew W. Donoho
> Donoho Design Group, L.L.C.
>, +1 (512) 750-7596
> "We did not come to fear the future.
>    We came here to shape it."
> -- President Barack Obama, Sept. 2009

Reply via email to