25Şub
How does Android/Firefox authenticate the Android Pocket app, for example?
I installed the Android Pocket app and logged in. My default browser is Firefox, which is already logged in to my Firefox account. This meant I did not have to enter my Firefox account password. Presumably the Pocket login flow used a Custom Tab...
Wait.
Can any app do this?
If Pocket can harvest a login session out of Firefox, what stops arbitrary apps harvesting arbitrary logins or private content?
Does the website perhaps control this by
- requiring user interaction - the "sign in" button" I had to press
- and the Android app cannot spoof user interaction (unless it has special permissions)
- and then a new login session secret is sent to the app by the webserver through a separate channel?
