For a service which started out operating by SMS, Twitter takes a surprisingly unenlightened view of mobile. It's main mobile service - http://m.twitter.com/ - is almost completely devoid of useful features. That's one of the main impetuses behind the development of Dabr. Their latest mobile site - http://mobile.twitter.com/ - is really only suitable for the tiny minority of people who have smartphones.

So, understandably, many people use 3rd party sites like Dabr. They are now faced with a dilemma - give an untrusted site their username and password or try to use OAuth on the mobile.

A few weeks ago came the announcement that OAuth was finally ready for mobile... Was it? No. Once again a "mobile friendly" site designed with masses of JavaScript and guaranteed not to work with the majority of phones on the market.

Here's how mobile OAuth looks on a variety of popular mobile phones.

BlackBerry

BlackBerry Twitter OAuth

While this looks pretty enough, it doesn't work. The buttons aren't clickable. I've tried with and without JavaScript. No matter where I click, nothing happens.

Android

The Android's User-Agent isn't detected by Twitter as being a mobile phone. While it's true that the browser is very capable - the OAuth screen is a lot more usable when it's in mobile mode.

Android Twitter OAuth

So, it works, but it doesn't look nice.

N95

The N95 makes a good test phone because it's popular. Probably more popular than the iPhone.

N95 Twitter OAuth

N95 Twitter OAuth

It's not pretty - but at least it works.

Others

The Sharp GX-10 is my default test phone. One of the first phones with a colour HTML browser. If your site can work on this phone, it will work on any phone. There are no screenshot capabilities for this phone - but rest assured, it does not work.

The three phones I've demo'd above are very popular modern phones - AKA the minority. If they don't work well, what chance for the people using older phones?

Useless! How hard can it be? All it needs is a username field, a password field and a button. That's just about the most basic page imaginable. It should be child's play to make it work on mobile.

This was first raised in March 2009 on Twitter's issues list. It's currently the most popular bug.

So, we're stuck in a dire situation. Third-Party mobile sites get access to Twitter users' passwords because Twitter are unable or unwilling to develop a simple OAuth form. It would be fascinating to know how many of Twitter's security breaches are down to corrupt or insecure 3rd party sites which leak passwords.