Comments on: Are You Giving Away the Keys to Your Mobile Kingdom?

By: Al Isiam

Al Isiam — Thu, 09 Dec 2010 04:57:36 +0000

Ahh, but this is what OAuth aims to solve. In the following link the author uses the analogy of your car’s valet key (yours, not mine, because my car is too cheap for one). Instead of giving your full functioning key to the valet, you give them the limited function key. For this discussion, that means your using a token and trusted services instead of your full ID an PW. The analogy is not perfect but it is very good. Check it out: http://hueniverse.com/oauth/

NOTE: Those familiar with OAuth, you will flame that it is not secure. And v1.0 does have a vulnerability that can be exploited. Still the idea is still sound and work is underway to address the security issues.

By: Baber Amin

Baber Amin — Wed, 08 Dec 2010 05:19:27 +0000

The way twitter authorizes posts is by authorizing the application with a token of sorts. The application is not supposed to retain any credentials. But a more fundamental issue is to explore the need for digital IDs and their ultimate ownership. I have some thoughts at http://monday-morn.blogspot.com/2010/12/keys-to-kingdom.html

By: Tal

Tal — Wed, 17 Nov 2010 02:29:55 +0000

no app is using my gmail account. none. if i have to, i have an alternative gmail to use. kind of basic my dear Watson.

By: Neo

Neo — Tue, 16 Nov 2010 18:39:24 +0000

Google has already started work on rolling out two-step authentication:
http://techcrunch.com/2010/09/20/google-secure-password/

While the process is more involved and takes much longer to deal with, the advantage is that this giving away of the keys to one’s mobile kingdom becomes vastly harder.

By: Noil

Noil — Tue, 16 Nov 2010 05:16:10 +0000

while technically true, it doesnt mean thats its not collecting your info either. point being, you should NEVER give any 3rd party app your gmail password. what if you do your banking through email? how about paypal? how about having your financial passwords reset with the new pass sent to your email so the crook can then access it? at the very least you should only use apps that rely on Oauth.

what i wonder is, if apps installed on Android that have nothing to do with Google services can still gain access to your Gmail password? it seems unlikely as Google would probably have measures in places to make giving out your Gmail password a user action only. but if not, imagine how easy it would be for a crook to submit a fake app to the market to harvest passwords & then access email accounts looking for financial info.

By: Jack C

Jack C — Tue, 16 Nov 2010 03:02:54 +0000

Entering your login information into an app doesn’t mean that the app itself is receiving your credentials. Installing software on your phone is just like installing software on your PC.

By: Ken

Ken — Mon, 15 Nov 2010 23:29:18 +0000

While I sympathize with the safety concerns relating to software an/or services that are “free”, paying few dollars for an application is no guarantee that the company or person that you are dealing with is any more reputable. Unfortunately, until this becomes a problem for the carriers (as credit card fraud has for banks), I do not expect much to change. I think that discrete passwords is probably one of the easiest precautions from any extensive damage.

–Ken

By: Steve

Steve — Mon, 15 Nov 2010 21:46:21 +0000

The first and best thing you can do is to avoid things by google. Thats the biggest step towards safety you can do. Then, use multiple passwords and as you say, minimize the amount of services and apps you use.

Don’t trust things that are for free. Those are the most expensive.

By: Stuart

Stuart — Mon, 15 Nov 2010 21:32:51 +0000

Your commentary made the think that most people have no idea what is going on when they use a smartphone. They read the consent policies before installing apps as much as they read the End User License Agreements on software. I see it just getting murkier as people trust more and more very important information to “free services” instead of being willing to pay a small amount for real support and security.

By: Ricky Cadden

Ricky Cadden — Mon, 15 Nov 2010 19:35:35 +0000

What’s worse is if you use the same password all over the place – which I’ve done in the past. Once someone gets a password for one service, the first thing they do is change it, then try out your username/password combo on a bunch of different sites.