It's obvious on it's face that it's possible to "spoof the Twitter Android app". You'd need something a lot more interesting than OAuth to prevent that. What's his point?
What this article is really about is distaste over a policy decision Twitter appears to have made, which is that they may revoke consumer secrets for applications that end up associated with scam apps. We can argue over the merits of that decision ad nauseam, but I'll short circuit it (again) by pointing out that Twitter would have had the exact same problem without OAuth; they'd simply be attacking it in an ad hoc way instead of with OAuth.
I have two huge problems with this article:
* It sensationalizes an issue that isn't about security, but rather is about developer-friendliness. Of course, since (as far as I can tell) no major Twitter app has been disrupted by this unfriendliness, this story wouldn't have had legs without the scary security spin they gave it.
* It throws the baby out with the bathwater on OAuth, which again simply isn't intended to be a universal authentication protocol for native apps. Near as I can tell, everything Twitter's doing makes perfect sense for web apps, which I'm guessing are still far and away (by usage) the most-used customers of Twitter's API.
The article isn't really saying there's a security problem in OAuth alone, but that there's a security problem in the overall system consisting of OAuth, Twitter's mandating use of it in a way it wasn't intended, and Twitter's presumed policy of disabling "compromised" keys.
Has Twitter actually shut down any application anyone's heard of with this policy, or is this just scaremongering?
Because, again, Twitter has a variety of ad-hoc means at its disposal to block clients without going anywhere near OAuth.
Meanwhile: "using OAuth in a way it wasn't intended" is not the same thing as a "compromise" in Twitter's OAuth system. And yet thats the headline of the article.
What this article is really about is distaste over a policy decision Twitter appears to have made, which is that they may revoke consumer secrets for applications that end up associated with scam apps. We can argue over the merits of that decision ad nauseam, but I'll short circuit it (again) by pointing out that Twitter would have had the exact same problem without OAuth; they'd simply be attacking it in an ad hoc way instead of with OAuth.
I have two huge problems with this article:
* It sensationalizes an issue that isn't about security, but rather is about developer-friendliness. Of course, since (as far as I can tell) no major Twitter app has been disrupted by this unfriendliness, this story wouldn't have had legs without the scary security spin they gave it.
* It throws the baby out with the bathwater on OAuth, which again simply isn't intended to be a universal authentication protocol for native apps. Near as I can tell, everything Twitter's doing makes perfect sense for web apps, which I'm guessing are still far and away (by usage) the most-used customers of Twitter's API.