OpenID in desktop apps

[Darren Bounds]

Just to reiterate what I had said in a previous post regarding
UIWebView. There's really no point concerning yourself with phishing
when the application already owns the pond.

In most cases an application launching an embedded user-agent with
custom chrome doesn't need to phish. They more than likely already
have access to the request and response payload (as is the case with
UIWebView), even when they're sending you to the legitimate Facebook
site.

Darren

On Sat, Feb 7, 2009 at 8:33 PM, Chris Messina <chris.messina at gmail.com> wrote:
> I highly recommend that all those whom I cc'd join the user-experience list
> at OpenID if you haven't already:
> http://openid.net/mailman/listinfo/user-experience
>
> I wanted to point out a disturbing but insightful trend that I've seen in
> apps, both on the Mac and iPhone lately... essentially embedding a WebKit
> view inside the app for doing delegated authentication. Example:
> http://www.flickr.com/photos/factoryjoe/3260710115/
>
> Without the URL bar (presuming that the URL bar hasn't been tampered with),
> it's impossible to know who is hosting this page. Facebook is also
> none-the-wiser about whether this experience is taking place from within the
> browser or within some custom app. I also don't see how this can be stopped.
> I'd like to hear your thoughts about this, given our desire to push the
> popup experience forward, mandating, I presume, visibility of the URL bar in
> these flows.
> Chris
> --
> Chris Messina
> Citizen-Participant &
>  Open Web Advocate-at-Large
>
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [X] bloggable    [ ] ask first   [ ] private
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
>



-- 
darren bounds
darren at cliqset.com