Disclaimer There is nothing new in this post. I'm just bringing this up now because a lot of people seem to not know the facts. It also has nothing to do with Windows Phone specifically, but rather pretty much every platform. The point of this post is not to spread FUD, but to remind people to not take security for granted. OAuth For those that don't know what OAuth is, it is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. These days OAuth is used pretty much everywhere where an external client needs to login to some sort of service. You've used it with Google (I used it to upload the video in this post), Microsoft apps (Skype, Xbox Smartglass, Visual Studio), Twitter, Facebook, and countless others. Best VPN providers 2020: Learn about ExpressVPN, NordVPN & more You'll know when you're using it because you'll see a button like: "Sign in with X", which will then pop up a login window on your PC or phone. Over on /r/WindowsPhone (and the internet at large), I've read a number of comments stating that your credentials are safe when using a mobile app that uses OAuth. The theory is that the actual mobile app you're using never actually has access to your credentials because they are just opening up a window directly to the sites login, and the credentials go directly to the site (not ever to the app). The site then sends a token back to the app to say the credentials were valid, and from there the app can use that token with requests (to post a tweet for example). OAuth isn't just about keeping your password away from the app, but that is all that this post is about. The issue is that this theory is just completely wrong. The big point of failure is that even though the app is showing the Twitter website directly - the actual browser component is still owned/contained by the app. So an app that you may or may not trust, can do pretty much what it wants to that Twitter website. Below I made a video to demonstrate this. All I did was download a Windows Phone Twitter login sample, and add a tiny bit of code, which allows me to get the username and password that the user types (even though they are typing directly into the browser). The upper text is native XAML, the lower part is the Twitter OAuth browser component.

Yes, in the time it takes to put on your fingerless hacker gloves, it is possible to make a "legit" OAuth login (i.e. it will still work and authenticate you, and is the real Twitter site) that will also steal credentials. In a real-world application the person would obviously not show the credentials at the top of the screen, they'd silently send those off to a server which will collect all the accounts. I'm not 100% sure why someone would want to steal you account. It's not like we're sending nude selfies to each other, right? Another issue with this browser-in-app way of doing OAuth is that the user has no idea what the actual URL of the page is. For all they know it could be going to a page that is just made to look the same as the real login page.

How do I keep safe? This is a bit of a tricky one to give solid advice on. As far as I am aware there are only two "safe" mobile OAuth login options: - Pin login: Some apps will open up the phones actual browser (outside of the app) and load the OAuth login. You then login, and it gives you a short code. Copy that code and paste it back in the app. This is pretty safe because the browser is not part of the possibly-dodgy app. - Windows 8 OAuth: Windows 8 introduced an easy way for apps to use OAuth logins. When the app requests it, the OS will show a login over the app. This is a good mix between the browser-in-app method and the pin login, because it has the best of both worlds. The issue is that an app could still create a fake popup panel pretending to be the Windows 8 one. Of course, the issue with both of the above is that they are completely dependent on the platform and app. It also depends whether the login service even supports pin-auth. So the real advice here is to just keep aware of what you are doing, and what you are downloading. If you're downloading a Twitter app, don't even consider it if it doesn't have many ratings (meaning it hasn't had many guinea pigs). Even if it does have lots of ratings, take a few minutes to tap on the developers name and see what else they have made. Are they well known in the community? Do they have a seemingly-legitimate online presence (as oppose to someone you can't find anything about)? You're basically trying to find out that the developer would be held accountable for wrong-doings and not just disappear into the night. With Windows Phone specifically, most serious development efforts (and their developers) for the main services (Twitter, Facebook, Instagram, etc.) have been covered in depth by WPCentral. So if you have an urge to post grainy images of your food (and don't want to use the official app), why are you even looking in the phone marketplace? Go on WPCentral, search, and do some reading. All this being said, I've never heard of a single wide-spread case of this happening on Windows Phone (I'm not sure if it has happened on other platforms).