This blog post which is making rounds on Twitter tonight highlights a problem with FourSquare, which sounds pretty scary. But if that’s scary, you should see many of the other APIs that mobile apps use — including many apps you probably use every day. This problem is a lot more common than people may realize.

In fact, it affects most Twitter apps that we use on our phones. Twitter realizes this, and has tried to phase out the use of Basic Authentication in their API. At one point they even announced an end to Basic Auth for all new apps, but had to reverse that decision because of developer resistance. Their official policy now is they really want this to go away some day:

“OAuth is the Twitter preferred method of authentication moving forward. While we have no plans in the near term to require OAuth, new applications should consider it best practice to develop for OAuth.  We eventually would like to suspend Basic Auth support. However we realize that Basic Auth has been a large part of the API’s success, and that the barrier to entry if OAuth is the only solution is substantially higher.”

OAuth is, of course, the right answer to this issue. But it can be tricky to implement (for developers) in native apps. And, perhaps more significantly, it can be a little confusing (arguably even a little disconcerting) for users as they get kicked out to the Twitter site to “approve” access for this new application they just downloaded. If you understand OAuth, it’s easy to see this is more secure than giving some app your Twitter password, but explaining that to a user and having them go through the process is often difficult.

So, yes, FourSquare and Twitter and everyone else should implement and require OAuth (and deprecate HTTP Basic), but it’s not their fault that this is not really feasible yet. One thing that I think would really help is OS level support, especially in the user experience for OAuth. I would envision something similar  to how Apple implemented seamless login to restricted WiFi hotspots. If OAuth can be seamlessly weaved into the OS like that (with direct API support), then I’m sure most mobile developers and web services would leverage that quickly. Nobody likes Basic Authentication, but right now it’s just the easiest way to do things.