Time limited tokens don't lend a lot of security. Someone malicious can simply scrape your entire account in the 15 minutes or whatever the validity period is.
Scope limited is far better, and something android is bad at. I suspect they are highly constrained by the need to maintain compatibility all the way back to Android 1.0.
In my opinion, they should drop support for old android versions by default, and if you want the ability to sign into an old non-updated device, force you to go to a real browser and enable some option like "allow insecure devices".
Scope limited is far better, and something android is bad at. I suspect they are highly constrained by the need to maintain compatibility all the way back to Android 1.0.
In my opinion, they should drop support for old android versions by default, and if you want the ability to sign into an old non-updated device, force you to go to a real browser and enable some option like "allow insecure devices".