HTTP Basic in Mobile Apps
28. Feb, 2010 
112 Comments
This blog post which is making rounds on Twitter tonight highlights a problem with FourSquare, which sounds pretty scary. But if that’s scary, you should see many of the other APIs that mobile apps use — including many apps you probably use every day. This problem is a lot more common than people may realize.
In fact, it affects most Twitter apps that we use on our phones. Twitter realizes this, and has tried to phase out the use of Basic Authentication in their API. At one point they even announced an end to Basic Auth for all new apps, but had to reverse that decision because of developer resistance. Their official policy now is they really want this to go away some day:
“OAuth is the Twitter preferred method of authentication moving forward. While we have no plans in the near term to require OAuth, new applications should consider it best practice to develop for OAuth. We eventually would like to suspend Basic Auth support. However we realize that Basic Auth has been a large part of the API’s success, and that the barrier to entry if OAuth is the only solution is substantially higher.”
OAuth is, of course, the right answer to this issue. But it can be tricky to implement (for developers) in native apps. And, perhaps more significantly, it can be a little confusing (arguably even a little disconcerting) for users as they get kicked out to the Twitter site to “approve” access for this new application they just downloaded. If you understand OAuth, it’s easy to see this is more secure than giving some app your Twitter password, but explaining that to a user and having them go through the process is often difficult.
So, yes, FourSquare and Twitter and everyone else should implement and require OAuth (and deprecate HTTP Basic), but it’s not their fault that this is not really feasible yet. One thing that I think would really help is OS level support, especially in the user experience for OAuth. I would envision something similar to how Apple implemented seamless login to restricted WiFi hotspots. If OAuth can be seamlessly weaved into the OS like that (with direct API support), then I’m sure most mobile developers and web services would leverage that quickly. Nobody likes Basic Authentication, but right now it’s just the easiest way to do things.
I think the key in Zach’s example is that it’s Basic auth over plaintext HTTP. If they were at least using SSL, you’d be mitigating a huge part of the issue and making it less likely (but not impossible) for someone to intercept and decode your credentials.
True, using SSL is a good improvement (assuming you trust the new app you just bought). It surprising that a lot of apps don’t even do that. Twitter does support this.
There are some scale issues with that, of course. But then again, the same is true of OAuth.
Hi,
I just found this post from my Google News reader, very usefull post and blog yiou have. keep it up with great work.
Jenni
Thanks!
Social comments and analytics for this post…
This post was mentioned on Twitter by flafeer: @quine @kentbrew @atul Your post was not FUD, but good reminder about a lot of apps and APIs: http://bit.ly/9AFnJl...
thnx for the info, i’m adding you to my blogroll.
True, using SSL is a good improvement (assuming you trust the new app you just bought). It surprising that a lot of apps don’t even do that. Twitter does support this.
There are some scale issues with that, of course. But then again, the same is true of OAuth.