• caglararli@hotmail.com
  • 05386281520

How does Android/Firefox authenticate the Android Pocket app, for example?

Çağlar Arlı      -    25 Views

How does Android/Firefox authenticate the Android Pocket app, for example?

I installed the Android Pocket app and logged in. My default browser is Firefox, which is already logged in to my Firefox account. This meant I did not have to enter my Firefox account password. Presumably the Pocket login flow used a Custom Tab...

Wait.

Can any app do this?

If Pocket can harvest a login session out of Firefox, what stops arbitrary apps harvesting arbitrary logins or private content?

Does the website perhaps control this by

  • requiring user interaction - the "sign in" button" I had to press
  • and the Android app cannot spoof user interaction (unless it has special permissions)
  • and then a new login session secret is sent to the app by the webserver through a separate channel?