Twitter OAuth - Mobile Failures
By @edent
· dabr oauth security twitter usability · 4 comments · 550 words · read ~1,010 times.
I'm a big fan of OAuth - despite some claims to the contrary. It's an excellent way of teaching people not to stick their username and password into any old site which asks for it. Which is why I'm so incredibly disappointed in Twitter's implementation of mobile OAuth.
For a service which started out operating by SMS, Twitter takes a surprisingly unenlightened view of mobile. It's main mobile service - http://m.twitter.com/ - is almost completely devoid of useful features. That's one of the main impetuses behind the development of Dabr. Their latest mobile site - http://mobile.twitter.com/ - is really only suitable for the tiny minority of people who have smartphones.
So, understandably, many people use 3rd party sites like Dabr. They are now faced with a dilemma - give an untrusted site their username and password or try to use OAuth on the mobile.
A few weeks ago came the announcement that OAuth was finally ready for mobile... Was it? No. Once again a "mobile friendly" site designed with masses of JavaScript and guaranteed not to work with the majority of phones on the market.
Here's how mobile OAuth looks on a variety of popular mobile phones.
BlackBerry
BlackBerry Twitter OAuth
While this looks pretty enough, it doesn't work. The buttons aren't clickable. I've tried with and without JavaScript. No matter where I click, nothing happens.
Android
The Android's User-Agent isn't detected by Twitter as being a mobile phone. While it's true that the browser is very capable - the OAuth screen is a lot more usable when it's in mobile mode.
Android Twitter OAuth
So, it works, but it doesn't look nice.
N95
The N95 makes a good test phone because it's popular. Probably more popular than the iPhone.
N95 Twitter OAuth
N95 Twitter OAuth
It's not pretty - but at least it works.
Others
The Sharp GX-10 is my default test phone. One of the first phones with a colour HTML browser. If your site can work on this phone, it will work on any phone. There are no screenshot capabilities for this phone - but rest assured, it does not work.
The three phones I've demo'd above are very popular modern phones - AKA the minority. If they don't work well, what chance for the people using older phones?
Useless! How hard can it be? All it needs is a username field, a password field and a button. That's just about the most basic page imaginable. It should be child's play to make it work on mobile.
This was first raised in March 2009 on Twitter's issues list. It's currently the most popular bug.
So, we're stuck in a dire situation. Third-Party mobile sites get access to Twitter users' passwords because Twitter are unable or unwilling to develop a simple OAuth form. It would be fascinating to know how many of Twitter's security breaches are down to corrupt or insecure 3rd party sites which leak passwords.
The new mobile OAuth page works fine on my 1.6 Android phone. From what I've been hearing the Nexus One is the only Android device with issues. Twitter is acutely aware of the issues and will hopefully be fixing them soon.
Hi, The Android in question is an HTC Hero - but I've not tried on other Android devices. It's really not that hard to do mobile device detection - I can't understand what Twitter are playing it. It's like they tested in on an iPhone and whichever half-dozen phones their employees had and then ignored the rest.
T
Ya. Probably. Hehe. I hope Twitter learns from it. I'm running a Google Ion which is essentially a MyTouch.
Just got a Droid and it works on it. As far as I can tell the Hero is android 1.5. Later versions seem fine.