• May 18, 2011

    Authentication security in iOS apps

    When I read a post that John Gruber wrote today about OAuth in native Twitter apps and how much of a poor user experience it is/will be, I had to dig deeper into the article. On first read of the article, I disagreed with him as I thought he missed a very important point about security, but upon re-reading it, he did identify one of the major issues with how OAuth (and other types of service authentication) is done on iOS, in particular.

    Developers can alleviate some of the context switching by using an embedded web view inside their native app for the OAuth authentication handshake, but at that point, why not just use xAuth and simply allow the user to enter their username and password in a native dialog box? So long as you remain within the app, there’s no security advantage for OAuth in an embedded web view over xAuth...

    This is something that most users are unaware of when entering their credentials in any iOS app. As long as you are in the app, even if the page says Facebook, Twitter, Dropbox, etc. and you're not running an app from these companies, the app can capture your username and password. Some companies ship their libraries to developers in a form that doesn't let the developer modify the source code, but that offers zero protection from a malicious developer that wants to steal usernames and passwords.

    I've seen one application launch Safari, ask you to login to Facebook and when done, returns you to the app. From a security point of view, this is the ONLY way to ensure that the application doesn't capture your credentials (provided that you trust that Safari isn't stealing your credentials). Any embedded web view offers no guarantee that the app isn't hijacking your credentials as the app can walk the hierarchy of views and grab info; in a kiosk I worked on, we presented web pages, but I modified the web pages before displaying to change the credit card field to a password field to mask the numbers; this type of modification of web data is quite easy when a developer controls the entire app.

    Should you be worried? That all depends. Do you use different passwords for every service? If not, consider using 1Passwd. Yes, it may be a pain to enter the random password on a mobile device, but if some app got access to the password you use on all your sites, the risk is great. Are most developers honest? Yes, but bugs in the code could put your password at risk. Also when I tried out apps for Google Voice, I had some strange feelings about an app, so I ran my iPhone's networking through Charles Proxy to see where the app was connecting; it was connecting to a site that wasn't Google. I had no idea if my Google Voice password (which is my Google password for email) was going to some lone developer's server. Based on the developer's posting in various forums, I didn't trust his app with my password.

    Should users be inconvenienced by having an app launch Safari, enter credentials and then go back to the app? Personally, as someone a bit paranoid about security, I think it is worth the one time inconvenience (per app). The average user may not think this way. However, if the user was better educated in the app indicating that for security purposes Safari will be launched, that may mitigate the issue.

  • May 17, 2011

    Surviving the spring storm

    Yesterday, I was interviewed about the spring storm that was going to happen today. I found it pretty humorous that any storm in San Diego especially a spring "storm", makes the news. Today the "storm" hit and it dumped so much rain that by 4 pm, the ground was just about dry and it was sunny! I went for a run and mistakenly wore a long sleeved shirt; it was far too warm for it even though the spring storm was supposed to bring cold air.

    Why does weather in San Diego make news? People in other parts of the country laugh at us when we complain at the weather and the local news just make things worse by reporting ridiculous stories calling what we got a storm.

    While I do complain about the weather, I do it jokingly and have used it to gently poke fun at my co-workers in other parts of the country.

  • May 16, 2011

    My weather gripe has made me famous

    Back in January, I posted about being a weather wimp. Today I was contacted by the local CBS affiliate about the entry wanting to know if I'd be interviewed about the big storm coming. I didn't even know that a storm was coming, but I agreed to be interviewed. We did the interview over Skype as they wanted it for today's news. Unfortunately, the only piece of the interview that made the news was one quote on their website and a split second shot of my blog. I guess the people that lived on Rainswept Way were more interesting than my rant!

  • May 13, 2011

    Review: Alfred

    When I saw Alfred available in the Mac App Store, I grabbed a copy and was pretty impressed. I've used a number of launchers over the years including Quicksilver, LaunchBar, Google Quick Search Box, and Butler. Each one has its strengths and weaknesses. The biggest downside I found to all of the launchers was the UI.

    Alfred does basically the same thing as the other launchers, but the UI I find to be quite elegant. The free version of Alfred has handled just about all my launching needs as I'm primarily a keyboard person and the less I have to use the trackpad, the better (with some limitations). Just yesterday, I saw a new version of Alfred had come out and the PowerPack (£12) had some features that I found cool including entering Terminal commands and file navigation. I plunked down my ~$20 and have been happily using Alfred all day.

    I really have no complaints about Alfred and find that it is easier to use and more visually appealing than its competitors.

    Pros

    • Easy to use.
    • Clean user interface.
    • Preferences are easy to understand.
    • Quick Terminal command entry is slick. (PowerPack Only)
    • File Navigation is a quick way to find files. (PowerPack Only)
    • Clipboard history eliminates need for a separate app. (PowerPack Only)

    Cons

    • Searching for files could use a bit more narrowing down. For instance, I want results from my home folder, but not in my Library folder.

    Summary

    Without buying the PowerPack, Alfred is well worth using. The user interface is clean and the application works well. Adding the PowerPack, if you need the extra features, is worth the small cost. I find that without a launcher of any kind, I spend far too much time looking for applications; I don't like a ton of applications on my dock, so a launcher is needed. Alfred, for me, is the best of the current crop of launchers.

    Everyone has a favorite launcher and switching launchers is much like the debate about which is better, Mac or Windows. Giving the free version of Alfred a try is a no brainer. If you don't like it, go back to using another launcher.