The guy who made the Pownce iPhone app a couple of years ago talked publicly with him.
His blog doesn’t seem to work anymore, but he basically took the “right” approach to OAuth. Instead of entering credentials inside the application, Safari was launched and they were entered there, and then the iPhone’s custom URL was used as a callback to restart the Pownce application. Pretty neat, huh ??
After some time, the developer commented on the comment that many users downloaded the application, but did not actually use it. His conclusion? This is to blame for his brilliant OAuth scheme. Users were confused by running Safari and quit the application.
Honestly though? I believe the fact that the application was intended for Pownce, a service that no one has used, is to blame.
I have an application in the app store right now that uses the Foursquare API, which supports both Basic HTTP auth and OAuth. I decided to "do the right thing" and use OAuth. A user enters their credentials right inside my application. Do I save their username and password anywhere? Nope. But could I be? Of course.
It may seem like I'm arguing for both sides here, but in reality it comes down to the fact that it is very unlikely that your users will know or even care about what OAuth is. It is probably just as unlikely that they will even think twice about including their credentials in your application. OAuth is excellent (damn much better than OpenID), but was not designed with iPhone in mind. It is designed to work inside a web browser. I think the Foursquare API docs docs best talk about their OAuth for mobile / Desktop (different from what they want to do for a web application) - "We provide this mechanism on the assumption that if the user installed your application on with their hardware they trust him enough to transmit their authentication information four times. "