Twitter to force 3rd party apps to use more annoying authentication

Twitter to force 3rd party apps to use more annoying authentication

Twitter has put up a blog post ostensibly to inform users that, in order to better secure and keep our direct messages (DMs) private, 3rd party apps will now be forced to use the web-based OAuth login method rather than the more native-feeling xAuth most of the use today.

When you first connect an application to Twitter, we’ll give you more detailed information about what you’re allowing the app to do with your account. These activities may include reading your Tweets, seeing who you follow, updating your profile, posting Tweets on your behalf, or accessing your direct messages. If you’re not comfortable with the level of access an application requests, simply say “No, thanks”.

So what this boils down to is, when you get a new Twitter app -- anything from a full client like Twitterrific or TweetBot down to apps that simply allow you to share content via Twitter, such as games and Instagram -- you won't be able to simply enter your username and password in the fields like you do today. Instead the app will have to call up an embedded browser window (UIWebView) and load up a page which then presents the more complex screen shown above.

That could be just a little extra mental work for games, where maybe the advantages in making sure a developer doesn't have permission to see anything they don't need, like you're DMs, but for proper Twitter clients, which are supposed to read and write DMs, which power users might have multiple accounts to setup and maintain, it quickly becomes a pain in the butt.

Except for Twitter for iPhone, Twitter for iPad, and likely the newly acquired TweetDeck. Since they're considered 1st party, since Twitter considers your signing up for their service as granting them all applicable permissions, they still get to use the kinder, gentler, xAuth.

So, by way of dramatic parallel, imagine Apple forced every non-Apple App Store app could only be synced via iTunes, and only Apple apps could be downloaded directly on-device. It would be just as annoying and just as seemingly greedy and unfair.

And that's what rankles about this. It feels greedy and unfair. Greedy and unfair to the 3rd party developers who created the clients that helped make Twitter what it is today, greedy and unfair to users who get a more hostile experience, and ultimately greedy and unfair to Twitter which had such a good reputation among developers and users, until they started clamping down on 3rd parties and introducing things like the #dickbar.

In iOS when an app wants to use location services or send you push notifications, it gives you a simple yes/no popup. If Twitter is really concerned about user privacy and security -- even when users are expressly opting for the convenience of a full on Twitter client -- do what Apple does, not what web sites had to do years ago.

Or just ask your Twitter's own Loren Brichter, who created Tweetie which became Twitter for iPhone. He had OAuth's number years ago on his Atebits blog (see link, below).

Hopefully Twitter finds a better way to handle #dickauth, and a better way to handle their user and developer relations again soon.

[Twitter, Daring Fireball, Atebits]

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

Daily Tip: How to take better pictures with your iPhone camera

Next up →

Apple completes cloud-music deal with EMI, now one step closer to iTunes Cloud

Reader comments

Twitter to force 3rd party apps to use more annoying authentication


So you only have to do this once for every account? It's really not that big of a deal, is it?

Yea, I don't really get what he's QQing about here. There are apps that have already been using this method for almost year, at least on other platforms.

Good! On that note, TiPb is the best site for all things Apple. I would normally send my family (12 and 13 year old cousins) to TiPb for any tips or articles they would like. I refuse to send them to a site that uses excuses to insert the word dick into their articles. Save the "his name is Dick" excuse for those who care. Please find a new term like oAuth for this system. isn't that what it's called anyway?

LOL at you, you don't own the site, don't think you're going to get people to rename titles. Dick isn't a swear word. The reason I know this is because it's my Surname!!!

As a 19 year old I still remember being 12-13 and quite frankly dick was quite the hilarious word at the time. It's all fun and games dad. If you were my father I would hate you for making my life dreary and dull. I think that makes you a dick.

Dick is the name of the current Twitter CEO, and fairly or unfairly it's under his watch that these changes are happening.

"and likely the newly acquired TweetDeck."
Pardon me, but can anyone actually point me to any ACTUAL evidence that Twitter bought TweetDeck apart from a rumour from TechCrunch?
Why is everyone excepting it as fact?
17 days ago TechCrunch's source for the sale said that "the transaction will be announced in the next few days."
It's time to stop calling it a fact.

So how will this new standard of authorization for Twitter be any different than the popup we have seen in applications for connecting to Facebook? Maybe we'll soon see Twitter's iOS app act as the authorization middle-man as we currently see with Facebook on the iPhone.

Seems like a perfectly sensible way to protect your privacy to me.
Is having to wait for a webpage to load once per to ensure you understand how your data is being used really so onerous?

Yea, in light of all that has been going on (think Sony, etc.) this seems like a reasonable proactive move for Twitter. Of course, I say this as a Twitter client user. I'd probably be a bit upset too if I were using a 3rd party app. And, while I generally agree with Rene, I see this more of that sort of rant.
Maybe I'm just paranoid... but I don't like this trend of using Facebook/Twitter as a login for 3rd parties which is becoming common. It makes some sense for a 3rd party app... but not for forum comments, etc. I think this is a good move, as I'm not sure people who do that (who aren't techies) necessarily know what is going on... so the more full disclosure wakes them up a bit.

I like the change as a user. I hear people groan all the time about apps posting to their stream without them realizing they had allowed it. Kudos to Rene for thinking of the devs though. Hate to see the flaming in these comments. The poster probably should have complained privately instead of inviting people to go all crackberry on him.

Hmm... I did not know 3rd party apps had access to my Direct Messages using xAuth-- I thought I was giving permission only to post to twitter.
I think xAuth should still be usable, but maybe the 3rd party app developers should also state what they can access. Personally, i want my direct messages kept private. that's the whole point behind DMs!

Someone please correct me if I'm wrong... but I think you're giving the 3rd party access to your Twitter account period. This just includes DMs as well. So, you have to trust them then. Same for many of these combo-IM clients (in fact there, usually all the IMs get processed through their servers as well.... and maybe the info used in some manner).
I'd also guess this might be the case when using your Facebook/Twitter for forum posts. (so, I've been avoiding doing that, and complain when forums ONLY provide that as a login method, which some are starting to do) That is just plain scary and stupid IMO.

"Dickbar" had a certain ring to it, but "dickauth?" I don't even follow the logic. Quickbar=dickbar, oauth=?! Further, nobody but NOBODY was calling it the "dick-bar" in reference to the CEO's name. If you claim to have, then you're just plain delusional.

I reread this article to make sure I properly understood the argument. It really sounds to me like the writer is complaining about Twitter's move to better inform its users about privacy issues they face.
Developers need to be more upfront about what they are asking from users. Too often we hear stories of developers leeching info or user data unwarranted, even through Apple's app store. I can't get behind this negativity toward the usage of oAuth. The user makes a decision to use an app before they grant permission. This screen can only help the user make a better decision.
Also, I think it's worth noting that Twitter's privacy policy is still far less complex than Apple or Facebook:

You're nuts. How in the world is this even remotely 'greedy'?
They're changing their authentication protocol so that users have a clearer idea of what they're agreeing to when they use a third party program. They have every right to do so, and I'd even commend them for it. I'd MUCH rather sign directly into twitter and authorize an app than provide my username and password directly to some (possibly) sketchy application. What does that have to do with greed? It adds a layer of protection from third party apps doing bad things with your data. Of course first party apps don't require the extended step - they're implicitly trusted.
Sorry Rene, but I really have to question your commitment to privacy if you think this change is a bad thing. The less apps that I have to provide my credentials to, the better. Even if that means an extra step on my part.

Yawn. Greedy? Yes. Unfair? No.
One of many OBVIOUS SIGNS that Twitter is a fad not a force of nature, and it is only a matter of time before it finds its proper place beside Friendster and MySpace.
140 Characters ... is a joke. An empire founded on an arbitrary limitation, filled with hacks and workarounds. The sooner Twitter is replaced, the better the Internet will be.