On Fri, Sep 3, 2010 at 11:43, Bernd Stramm <[email protected]> wrote:
> On Fri, 3 Sep 2010 11:29:22 -0700 (PDT) > Ken <[email protected]> wrote: > > > What is the risk of storing a token? It can't be used outside your > > app. > > The token being confined to use "within" an app is very insecure when > the app runs on an end-user device. There soon will be a billion smart > phones, and many of those will run twitter apps. > Humans are very insecure. Most will tell you all of their passwords with the right/wrong type of influences. > Then suppose user Alice finds out user Bob's token (perhaps by > borrowing or stealing a phone), and publishes it. > > User Bob now has no way to retire the token, short of disabling the app > that runs on millions of phones. Or Bob can get a new twitter user name. > This is incorrect. Bob can go to Twitter and revoke the token so it won't work anymore. > That's not what is normally called security. > > OAuth as currently done with twitter only works when the "app" runs on > a small number of secure servers. > -- > Bernd Stramm > [email protected] > Abraham ------------- Abraham Williams | Hacker Advocate | http://abrah.am @abraham | http://projects.abrah.am | http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
