10 Comments

Summary:

If I asked you for your Gmail login credentials, would you give them to me? Probably not, because those credentials are the keys to your email, and you don’t want me poking around. Unfortunately I’ll bet you have given them to other folks you don’t know.

Keys

If I asked you for your Gmail login credentials would you give them to me? Probably not — and rightly so — because those credentials are the portal to your personal email, and you don’t want me poking around in there. Unfortunately, I’ll bet you’ve given them to other folks you don’t know, and if they aren’t trustworthy, they now have the keys to your mobile kingdom.

I started thinking about this when Dave Winer pointed out the new Path photo-sharing app grabbed all his contacts on the iPhone without permission. Dave is rightly concerned that his private contact list is now resident on the app developer’s servers somewhere. He points out he should at least have been asked if that was OK first, but instead, it just happened when he installed the Path app on his iPhone.

Unfortunately, this is a common occurrence in the world of mobile apps. If you have a smartphone and use Twitter, odds are you’ve installed a few free apps that let you tweet on the go. In order for the apps to work with Twitter, when you installed them you gave them your Twitter login credentials to work with your account. If you’ve tried a few Twitter apps on your phone, that means you’ve thrown your login credentials around, and you’ve willingly handed them over to developers you don’t know. If you want to see that first-hand, go to your settings page in your Twitter account and see how many Connections you’ve authorized. I have 16 apps/services I’ve authorized to tap into my private Twitter account, most of them mobile apps I’ve installed on Android phones and the iPad.

That’s just Twitter, though, so it can’t really impact me unless one of the developers who now has my credentials starts posting stuff that gets me in trouble. That would be bad enough, but nothing compared to the damage that could be caused if someone got my Gmail credentials. Guess what? I realize that not only do several people/organizations I don’t know have them, but I willingly handed them over.

I use Google Reader to follow RSS feeds, as do millions of you. I use apps on my iPad and phone to make working with Reader easier, and when I installed those apps, I duly input my Gmail login information. At the time it didn’t seem like a big deal, it was only RSS information, right? Unfortunately, once a third party has my Gmail login, they can tap any Google service as if they were me.

That leaves my email wide open to these people, which is scary enough, but that’s only the tip of the iceberg, as I use an Android phone. I install lots of apps on my phone from the Android Market, which is accessed using the same Gmail credentials. Even worse, the Market is set up to use my personal credit card to pay for apps, and Google Checkout is accessed through those same credentials. Now you begin to see the scope of the potential problem.

Now I’m sure the one app developer whose app I use on the phone is a good person and won’t take advantage of my information. The problem is I didn’t do that just once; I did it multiple times. I tried several RSS reader apps on my iPad, and input my login information to every one of them. I did the same thing on my Android phone until settling on the app I like. I figure there must be 7 or 8 parties who now have my Google login credentials. I thought I was conscious of security as a rule, so this realization floors me.

I immediately changed my various login credentials, and I strongly urge you to do so right now. Then you have to make a decision if these apps are worth giving the new login information. At the very least, pick the most trustworthy app and stick to that one. Limit your exposure as best you can.

Image credit: Flickr user matsukawa1971

Related content from GigaOM Pro (sub req’d):

  1. What’s worse is if you use the same password all over the place – which I’ve done in the past. Once someone gets a password for one service, the first thing they do is change it, then try out your username/password combo on a bunch of different sites.

    Share
  2. Your commentary made the think that most people have no idea what is going on when they use a smartphone. They read the consent policies before installing apps as much as they read the End User License Agreements on software. I see it just getting murkier as people trust more and more very important information to “free services” instead of being willing to pay a small amount for real support and security.

    Share
  3. The first and best thing you can do is to avoid things by google. Thats the biggest step towards safety you can do. Then, use multiple passwords and as you say, minimize the amount of services and apps you use.

    Don’t trust things that are for free. Those are the most expensive.

    Share
  4. While I sympathize with the safety concerns relating to software an/or services that are “free”, paying few dollars for an application is no guarantee that the company or person that you are dealing with is any more reputable. Unfortunately, until this becomes a problem for the carriers (as credit card fraud has for banks), I do not expect much to change. I think that discrete passwords is probably one of the easiest precautions from any extensive damage.

    –Ken

    Share
  5. Entering your login information into an app doesn’t mean that the app itself is receiving your credentials. Installing software on your phone is just like installing software on your PC.

    Share
    1. while technically true, it doesnt mean thats its not collecting your info either. point being, you should NEVER give any 3rd party app your gmail password. what if you do your banking through email? how about paypal? how about having your financial passwords reset with the new pass sent to your email so the crook can then access it? at the very least you should only use apps that rely on Oauth.

      what i wonder is, if apps installed on Android that have nothing to do with Google services can still gain access to your Gmail password? it seems unlikely as Google would probably have measures in places to make giving out your Gmail password a user action only. but if not, imagine how easy it would be for a crook to submit a fake app to the market to harvest passwords & then access email accounts looking for financial info.

      Share
  6. Google has already started work on rolling out two-step authentication:
    http://techcrunch.com/2010/09/20/google-secure-password/

    While the process is more involved and takes much longer to deal with, the advantage is that this giving away of the keys to one’s mobile kingdom becomes vastly harder.

    Share
  7. no app is using my gmail account. none. if i have to, i have an alternative gmail to use. kind of basic my dear Watson.

    Share
  8. The way twitter authorizes posts is by authorizing the application with a token of sorts. The application is not supposed to retain any credentials. But a more fundamental issue is to explore the need for digital IDs and their ultimate ownership. I have some thoughts at http://monday-morn.blogspot.com/2010/12/keys-to-kingdom.html

    Share
  9. Ahh, but this is what OAuth aims to solve. In the following link the author uses the analogy of your car’s valet key (yours, not mine, because my car is too cheap for one). Instead of giving your full functioning key to the valet, you give them the limited function key. For this discussion, that means your using a token and trusted services instead of your full ID an PW. The analogy is not perfect but it is very good. Check it out: http://hueniverse.com/oauth/

    NOTE: Those familiar with OAuth, you will flame that it is not secure. And v1.0 does have a vulnerability that can be exploited. Still the idea is still sound and work is underway to address the security issues.

    Share

Comments have been disabled for this post