Reviews of the Pownce app on the iPhone app store

I think the Pownce iPhone app is really nicely done, as well as being an excellent example of OAuth best practices. Unfortunately, three out of four of the reviews in the app store specifically complain about the mobile Safari authentication step. Users apparently don't like OAuth.

To take full advantage of Flickr, you should use a JavaScript-enabled browser and
install the latest version of the Macromedia Flash Player.

Comments

Carlo Z says:

I don't think it's a matter of liking it or not liking it; I think it's a lack of understanding what it is or does.

The average user doesn't care about OAuth, it's as simple as that.

I don't really blame them, to be honest. Not because I do not like it, but because by now I *know* that they don't care. Most of them aren't geeks, they just want their stuff to work, and every step between them and their goal/destination that deviates from the learned path is "wrong" (to them).

I guess our job is to explain it better. Using hand puppets, maybe?
Posted 15 months ago. ( permalink )

andré.luís says:

The problem is not in OAuth per se. From reading that, I think it's all related to be taken away from the app, not the authorizing itself. Perhaps an alternative workflow is in order... manual retrieval/input of auth tokens?
Posted 15 months ago. ( permalink )

LukeRedpath says:

There seems to be an issue of having to compromise between security (or maybe that should be openness) and the end user experience with OAuth implementations on the iPhone. I have to say I come down on the side of user experience.

Yes, by opening the the auth page in Safari, you can see immediately whether or not its a genuine login page. By using an embedded webkit display you can't. But honestly, how is signing in using an embedded web view any different to a native login UI? How do you know the app isn't sending your credentials off elsewhere without viewing the source code?

Ultimately, I think this is an issue of trust and unless you trust the app with your credentials, don't use it.

Edit - I've elaborated somewhat here:
lukeredpath.co.uk/2008/8/12/on-iphones-and-us er-credentials
Posted 15 months ago. ( permalink )

RodBegbie says:

FWIW, authorization is/should be a teensy-weensy little part of the overall user experience. If you wow the user with everything else, popping them to Safari to authenticate shouldn't even be on their mind when they decide to write a review.
Posted 15 months ago. ( permalink )

LukeRedpath says:

Seeing as its one of the very first things the user encounters and is possibly something a user may have to do more than once, then I'd say it most certainly isn't a "teensy-weensy" part of the user experience.
Posted 15 months ago. ( permalink )

Seldo says:

Breaking out of the app for oAuth is not an acceptable design. Even popping an embedded Safari window is distinctly substandard. Your app has a UI, the authentication mechanism should not dictate what the UI looks like. As Luke said, there are so many ways they can steal your login: if you trust the app, you trust the app, and you shouldn't have to show users a universal login screen to do that.

For instance, how about an app that shows UI that *looks* like you're switching to Safari, fakes an address bar, fakes the openID UI, and then fakes you back into the app. Same crappy workflow and still totally insecure.
Posted 15 months ago. ( permalink )

Would you like to comment?

[?]

	Simon Willison's photostream
		3,077 uploads

This photo also belongs to:

	Most Interesting (Set)
		100 items

Additional Information

Taken on August 12, 2008
Viewed 1,287 times

Add to your map

Yay location removed

...

(Some formats are OK.)

Or, remove it from the map.

Go to the map

You	Sign in \| Create Your Free Account
Explore	Places \| Last 7 Days \| This Month \| Popular Tags \| The Commons \| Creative Commons \| Search
Help	Community Guidelines \| The Help Forum \| FAQ \| Sitemap \| Get Help

Reviews of the Pownce app on the iPhone app store

Comments

Carlo Z says:

andré.luís says:

LukeRedpath says:

RodBegbie says:

LukeRedpath says:

Seldo says:

Would you like to comment?

Simon Willison's photostream

Most Interesting (Set)

Tags

Additional Information