I don't know what their reasoning is, but there's another obvious reason - if yo... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		comex on Nov 13, 2012 \| parent \| context \| favorite \| on: Wingman: Git + GitHub + OS X I don't know what their reasoning is, but there's another obvious reason - if you're trying to protect against a malicious app, unless you get it from the App Store so you can be assured it's sandboxed and it uses an external web browser to show the OAuth dialog, you don't have any real guarantee that it can't steal your password anyway. Although it might be easier to write an app that steals your password if you enter it directly, that's not much real security - to that extent, the sense of protection that the OAuth dialog gives you is false. (This is especially silly for iPhone Twitter apps, where the standard is to pop up a web view which the app can easily inject JavaScript into.)

nigelsampson on Nov 13, 2012 [–]

One nice thing about Windows 8 app development is that they provide a method through WebAuthenticationBroker to have the browser instance hosted in a secure separate process from your app to prevent any shenanigans.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact