@aaronpk I was just reading your article goo.gl/IF9r2O which was helpful. Is using SafariViewController the only safe auth on iOS?
1
Thanks! That, or launching Safari or the service's native application. SafariViewController will provide the best UX.
1
Awesome! I'm getting a lot of push back on the visible URL. I'm wondering how/why so many mobile apps don't show it. Thoughts?
3
Prior to SafariViewController, devs weren't willing to bounce ppl out of the app, the only other way to have a visible URL
1
Sorry, I meant I'm being told the URL can't be visible and they are holding up other mobile apps login as examples that do not show it.
1
Yeah sorry, 140 chars isn't enough 😭 Before SFSafariView, the only way to securely do OAuth was to launch the native…
1
more here: aaronparecki.com/2017/05/04/…

@rogue__leader Yeah sorry, 140 chars isn't enough 😭 ...

@rogue__leader Yeah sorry, 140 chars isn't enough 😭 Before SFSafariView, the only way to securely do OAuth was to launch the native Safari browser. This meant you'd get bounced out of the app, which...

aaronparecki.com
1
WOW, thank you so much! Do you know, offhand, of any mobile apps doing Auth this way?
1
The Google Inbox and Voice apps do it! I know I've used a couple more, but can't remember off-hand.
1
Awesome, I’ll check those out. Business doesn’t understand why I can’t do this in a way that doesn’t show URL. Since it’s our app and API.
1
Replying to @Rogue__Leader
Yeah the Google case is interesting since they're doing it with their own apps!

May 4, 2017 · 6:22 PM UTC

1
Replying to @aaronpk
Yeah... Does that mean there are alternatives to SFSafariView if you own the app and API?
2
Well for first-party apps there isn't really a phishing risk, it's normal to type your password into the service's own app.