John Gruber writes today about OAuth vs xAuth in his post “Twitter’s Shit Sandwich”. In it he declares that “So long as you remain within the app, there’s no security advantage for OAuth … but there’s a huge decrease in usability, simplicity and clarity to the user”.
Context: xAuth and OAuth are two ways to log in to twitter. With xAuth, an iOS app asks you for your username and password. You have to hope that they dont abuse it. Online apps use OAuth: you are redirected to a page from twitters servers, and the app never sees your password. On the iPhone, some apps use OAuth, in an embedded web browser. In this case, the app can steal your password, even though you are using OAuth. It offers no better security, and adds complexity.
But there is another option for app developers, and it has a huge advantage over xAuth and in-app OAuth: you don’t have to type in your password. All the app has to do is open the regular safari browser on the phone, log in using OAuth, and then redirect back to a custom url. Because it’s safari, the username and password for twitter only ever have to be entered once, and, because its safari, I’m happy to do so. Is it more complicated than xAuth? That depends on how you measure “complicated”. If my password is already in safari, then it seems to me that not having to enter my username and password, but instead just press “Yes”, is way less complicated.