Twitter to force 3rd party apps to use more annoying authentication

Twitter has put up a blog post ostensibly to inform users that, in order to better secure and keep our direct messages (DMs) private, 3rd party apps will now be forced to use the web-based OAuth login method rather than the more native-feeling xAuth most of the use today.

When you first connect an application to Twitter, we’ll give you more detailed information about what you’re allowing the app to do with your account. These activities may include reading your Tweets, seeing who you follow, updating your profile, posting Tweets on your behalf, or accessing your direct messages. If you’re not comfortable with the level of access an application requests, simply say “No, thanks”.

So what this boils down to is, when you get a new Twitter app -- anything from a full client like Twitterrific or TweetBot down to apps that simply allow you to share content via Twitter, such as games and Instagram -- you won't be able to simply enter your username and password in the fields like you do today. Instead the app will have to call up an embedded browser window (UIWebView) and load up a page which then presents the more complex screen shown above.

That could be just a little extra mental work for games, where maybe the advantages in making sure a developer doesn't have permission to see anything they don't need, like you're DMs, but for proper Twitter clients, which are supposed to read and write DMs, which power users might have multiple accounts to setup and maintain, it quickly becomes a pain in the butt.

Except for Twitter for iPhone, Twitter for iPad, and likely the newly acquired TweetDeck. Since they're considered 1st party, since Twitter considers your signing up for their service as granting them all applicable permissions, they still get to use the kinder, gentler, xAuth.

So, by way of dramatic parallel, imagine Apple forced every non-Apple App Store app could only be synced via iTunes, and only Apple apps could be downloaded directly on-device. It would be just as annoying and just as seemingly greedy and unfair.

And that's what rankles about this. It feels greedy and unfair. Greedy and unfair to the 3rd party developers who created the clients that helped make Twitter what it is today, greedy and unfair to users who get a more hostile experience, and ultimately greedy and unfair to Twitter which had such a good reputation among developers and users, until they started clamping down on 3rd parties and introducing things like the #dickbar.

In iOS when an app wants to use location services or send you push notifications, it gives you a simple yes/no popup. If Twitter is really concerned about user privacy and security -- even when users are expressly opting for the convenience of a full on Twitter client -- do what Apple does, not what web sites had to do years ago.

Or just ask your Twitter's own Loren Brichter, who created Tweetie which became Twitter for iPhone. He had OAuth's number years ago on his Atebits blog (see link, below).

Hopefully Twitter finds a better way to handle #dickauth, and a better way to handle their user and developer relations again soon.

[Twitter, Daring Fireball, Atebits]