0

I'm just curious. TWRequests use generic ACAccounts which are shared by all apps on iOS. Apps don't specify their own consumer_keys. So how could Twitter know which app a specific TWRequest come from?

an0
  • 17,191
  • 12
  • 86
  • 136

2 Answers2

1

Twitter can't tell which app a specific TWRequest comes from.

Accounts.framework embeds consumer_key and consumer_secret.

For Twitter, all requests just seem to be coming from iOS Twitter integration.

nst
  • 3,862
  • 1
  • 31
  • 40
  • I believe they know. Otherwise all apps using `TWRequest` will be displayed as `iOS`. Also, session 124 of WWDC 2011 confirmed it. Watch from 36:25. – an0 Oct 01 '12 at 14:14
  • Interesting. The exact quote is: "As part of this signing process, we actually embed enough information about your process that Twitter can identify your application correctly and attribute tweets that come from you on the Twitter web site so you won't lose that identification." What information is he talking about? User-agent or something? I still think that the same consumer tokens are used for all TWRequests. – nst Oct 01 '12 at 15:07
  • that's exactly what excited my curiosity:) – an0 Oct 01 '12 at 15:56
  • I didn't test with iOS TWRequest but as far as OS X is concerned, SLRequest for Twitter service type appear as 'OS X' on Twitter side. See my playground Twitter OAuth project https://github.com/nst/STTwitter – nst Oct 01 '12 at 16:24
  • Ok it turns out that all apps using `TWRequest` are indeed returned as coming from `iOS` in the Twitter timeline. Maybe the mysterious application identifier is related to the private method `-[SLTwitterRequest setApplicationID:]` (see the header at https://github.com/nst/iOS-Runtime-Headers/blob/master/Frameworks/Social.framework/SLTwitterRequest.h) – nst Oct 17 '12 at 15:34
  • So what was stated in WWDC session above is not true any more? Maybe it is just part of Twitter's current depreciation of third party apps. – an0 Oct 17 '12 at 15:38
  • How can I set the consumer key and secret for passing this data to a server? – Kyle Begeman Jul 22 '13 at 21:06
  • @KyleBegeman you can use a 3rd-party library such as STTwitter https://github.com/nst/STTwitter – nst Jul 23 '13 at 08:01
  • @nst Thanks for the link! This is a pretty cool library; however, I don't see a specific way to call SLRequest and tell it what consumer key to use. Do any of this libraries methods support reverse auth? I'm gonna start digging through it, but let me know if you already have experience with this. Thanks a lot! – Kyle Begeman Jul 24 '13 at 14:45
  • You cannot change SLRequest consumer tokens. BTW why would you want to do that? STTwitter supports reverse auth, see sample code here: https://github.com/nst/STTwitter#reverse-authentication – nst Oct 04 '13 at 09:33
  • @georgemp is right, SLRequest adds two parameters such as application_id=ch.seriot.MyApp and adc=pad (to identify the device I presume). – nst Oct 04 '13 at 09:36
1

Query params adc=phone and application_id=your_iosapp_sig (i think) are added to each request url during the OAuth process. Twitter should be able to identify your app by the application_id

Once you build your TWRequest, you can see the url request by

NSLog(@"%@", request.signedURLRequest.URL.absoluteString);

This should reveal the above two params.

georgemp
  • 716
  • 10
  • 21
  • Correct, I updated my article on Twitter API accordingly: http://seriot.ch/abusing_twitter_api.php#5 – nst Oct 04 '13 at 09:34