If I asked you for your Gmail login credentials would you give them to me? Probably not — and rightly so — because those credentials are the portal to your personal email, and you don’t want me poking around in there. Unfortunately, I’ll bet you’ve given them to other folks you don’t know, and if they aren’t trustworthy, they now have the keys to your mobile kingdom.
I started thinking about this when Dave Winer pointed out the new Path photo-sharing app grabbed all his contacts on the iPhone without permission. Dave is rightly concerned that his private contact list is now resident on the app developer’s servers somewhere. He points out he should at least have been asked if that was OK first, but instead, it just happened when he installed the Path app on his iPhone.
Unfortunately, this is a common occurrence in the world of mobile apps. If you have a smartphone and use Twitter, odds are you’ve installed a few free apps that let you tweet on the go. In order for the apps to work with Twitter, when you installed them you gave them your Twitter login credentials to work with your account. If you’ve tried a few Twitter apps on your phone, that means you’ve thrown your login credentials around, and you’ve willingly handed them over to developers you don’t know. If you want to see that first-hand, go to your settings page in your Twitter account and see how many Connections you’ve authorized. I have 16 apps/services I’ve authorized to tap into my private Twitter account, most of them mobile apps I’ve installed on Android phones and the iPad.
That’s just Twitter, though, so it can’t really impact me unless one of the developers who now has my credentials starts posting stuff that gets me in trouble. That would be bad enough, but nothing compared to the damage that could be caused if someone got my Gmail credentials. Guess what? I realize that not only do several people/organizations I don’t know have them, but I willingly handed them over.
I use Google Reader to follow RSS feeds, as do millions of you. I use apps on my iPad and phone to make working with Reader easier, and when I installed those apps, I duly input my Gmail login information. At the time it didn’t seem like a big deal, it was only RSS information, right? Unfortunately, once a third party has my Gmail login, they can tap any Google service as if they were me.
That leaves my email wide open to these people, which is scary enough, but that’s only the tip of the iceberg, as I use an Android phone. I install lots of apps on my phone from the Android Market, which is accessed using the same Gmail credentials. Even worse, the Market is set up to use my personal credit card to pay for apps, and Google Checkout is accessed through those same credentials. Now you begin to see the scope of the potential problem.
Now I’m sure the one app developer whose app I use on the phone is a good person and won’t take advantage of my information. The problem is I didn’t do that just once; I did it multiple times. I tried several RSS reader apps on my iPad, and input my login information to every one of them. I did the same thing on my Android phone until settling on the app I like. I figure there must be 7 or 8 parties who now have my Google login credentials. I thought I was conscious of security as a rule, so this realization floors me.
I immediately changed my various login credentials, and I strongly urge you to do so right now. Then you have to make a decision if these apps are worth giving the new login information. At the very least, pick the most trustworthy app and stick to that one. Limit your exposure as best you can.
Image credit: Flickr user matsukawa1971
Related content from GigaOM Pro (sub req’d):