FoursquareX v0.10, thoughts on web security

Back in January I released FoursquareX, a simple Mac OS X application that allows you to "give your phone a break" and use Foursquare from your laptop. Initially the app was written as a way to learn Objective-C and Cocoa, but after the project was picked up by TechCrunch I decided to keep maintaining it somewhat.

The biggest change in v0.10 is that it now uses a secure connection (HTTPS) when talking to the Foursquare API. Up until very recently, Foursquare's servers had no support for secure connections, something that I constantly complained about. While I'm happy they've finally done something, I remain annoyed that it took so long, and by the general apathy in the startup world towards user security and privacy. Many users didn't realize that every time they opened Foursquare on their phone, their password was shouted through the air for everyone to see. The Foursquare website remains unencrypted, making it extremely easy to completely hijack someone's account. Both of these issues are unfortunately very common.

A few months ago I switched FoursquareX to use OAuth after giving up on ever seeing SSL from the service. This was a non-trivial change that only partially solved the problem; passwords were still sent in plaintext the first time you used the app, and all activity could still be monitored by people around you. 

Had Foursquare architected their systems properly and supported SSL from the start, all I would've had to do was change the word "http" to "https" in the source code. If I wanted to be complete, I could also check that the certificate fingerprint matched a known correct value.

Twitter recently made the decision to require all third party apps to switch from basic authentication to OAuth. This has caused huge headaches for thousands of people for no real benefit. While many attribute an unprecedented level of ignorance and stupidity to this new policy, I'm not convinced. Twitter's website, which is being actively developed and promoted, continues to leave users completely vulnerable to session hijacking. The big difference between SSL+Basic Authentication and OAuth has nothing to do with security, but rather the introduction of an "API Key" that gives Twitter the ability to lock out access to specific applications. Twitter is taking a page from Apple's playbook and using security as an excuse to take control over developers.

OAuth is excellent for authorization between web apps, but is a complete waste of time for desktop and mobile applications, and could actually be harmful. In addition to the issue of control mentioned above, users are being told to only enter their passwords into their web browser, which have a huge attack surface, especially when compared to a Twitter client that could use the operating system's secure password storage system anyway. 

Hopefully the backlash against Twitter will be enough to convince other companies that they need to think twice before implementing a similar policy.

FoursquareX v0.10 also fixes a few bugs and has better error handling for when the Foursquare API is recovering from a bad hangover. It's free and open source. Download today!

← Read More