Posted by: spartain ken 15
I think it should be through the Bungie app. Signing in regularly through your phone is not secure. That's quite a bold statement. Can you justify it?
Posted by: insaneAssass1n9
Even if it is a third party application made by someone in the community.That's extremely unlikely to happen because...
1. If the regular browser approach is taken (ie. just a website you navigate to), the site would not be able to provide any services to you which require authentication. That includes posting, voting, viewing private groups, etc... basically everything you can't do while signed out.
To provide those services, the third party site essentially needs control of your account. Meaning, you would need to willingly give your cookies (which is what identifies your session on the site) to the third party. There is no difference between doing that and your cookies being stolen, except that you're allowing it to happen.
2. If the approach was to use a native application (eg. iPhone app) which does not allow you to securely sign in through bungie.net/WLID, the problem above still exists. And even if it did, if the browser allows for third party script injection (something similar to Greasemonkey) or extensions, there still exists the possibility for a malicious user to steal your cookies* and compromise your account.
In the off-chance that those extensions/scripts didn't allow network access (which even include something simple like getting an image), it's a massive amount of effort to have to scrap the existing HTML and reshape it for a mobile device, and to be able to continually do that each time bungie.net changes.
* There is one possible exception to this, which is if bungie.net supplies its session cookies with the HttpOnly flag (which I don't think it currently does - kind of bad IMO) and the browser being used supports it.