I recently implemented OAuth for the Yoke service I’ve been developing. Yoke sign-in currently uses OAuth 1.0 for Twitter integration (via twitter4J) and a homespun OAuth 2.0 flow for Facebook and is used within my Android applications via a WebView. The regular Android approach would be to use the AccountManager API, but there are a number reasons I chose not to use it:
At the time, these all seemed like pretty compelling reasons to choose OAuth for my applications, and they still do. But now I think that it could be a risk for users to register via OAuth within mobile apps, especially Android apps. Why? It’s simply this:
The security of OAuth is predicated on the use of an honest browser client, within mobile apps this cannot be assumed.
Nothing prevents a malicious application developer from bundling, into their app, a browser component that mimics the behaviour of the native one. On Android, this is made easier because the source is open, and there isn’t any pre-vetting of apps published to the Market.
A compromised browser could readily skim off your password and log it to a server and it would be difficult, if not impossible, for you to discover that your credentials had been stolen in this way. The problem is that we are all conditioned to look past the browser, and to recognize the sign-in pages of the online services we use (Google, Facebook, Twitter etc.) and to give them our trust, unconsciously.
I will continue to provide authentication within Yoke apps using OAuth since I’ve invested time implementing it, but in the future I may be a little more cautious.
arthritisex liked this
showcasinged liked this
hamiltonert liked this
returningde6 liked this
dictionaryde2 liked this
daughters45go liked this
tomgibara posted this
