Suggestions for steemconnect: add security design, information and good practice

In the light of utopian-io hack, we can improve steem ecosystem overall security by improving the default security of steem apps.

Repository

https://github.com/steemit/steemconnect
Steemconnect is a token based authentication for Steem made easy. It let's you interact with the Steem blockchain without entrusting your private keys to third party. One huge advantage is that after a hack, you don't need to change your key but just to revoke the tokens.

Components

This proposal is mainly about the type of information missing, for a better security, from the project.

Proposal

For Users:

• app origin for operations. It is very hard to determine where the operations came from. During a hack, it is impossible to find the compromised application. Right now there is an "app" field but only for posting.
• complete documentation of the different permissions. I saw an update but we need more details. For instance it seems that not many steemians were aware of the "offline" permission and what it actually does.
• (ultimately it would be nice to have) ability to choose the permissions we want to give. This one might be impossible to do without having, say a token per permission.

For developers:

• example of app architecture. We have more and more apps on steem and I am not sure they all know how to have a decent secure architecture: what to store, where to store,... We can learn from the bigger projects like busy, utopian,... who did/do/will do security audits.
• OAuth good practices. We should use the experience of the industry on that.
• up to date specifications to have better reviews from the community.

Benefits

This is a proposal to have a healthier ecosystem with battle tested code, design and information. Steemconnect and steem apps are becoming a big part of the ecosystem. We can take those small steps to build good (security) habits.

@cryptohazard