Are You Giving Away the Keys to Your Mobile Kingdom?

10 Comments

If I asked you for your Gmail login credentials would you give them to me? Probably not — and rightly so — because those credentials are the portal to your personal email, and you don’t want me poking around in there. Unfortunately, I’ll bet you’ve given them to other folks you don’t know, and if they aren’t trustworthy, they now have the keys to your mobile kingdom.

I started thinking about this when Dave Winer pointed out the new Path photo-sharing app grabbed all his contacts on the iPhone without permission. Dave is rightly concerned that his private contact list is now resident on the app developer’s servers somewhere. He points out he should at least have been asked if that was OK first, but instead, it just happened when he installed the Path app on his iPhone.

Unfortunately, this is a common occurrence in the world of mobile apps. If you have a smartphone and use Twitter, odds are you’ve installed a few free apps that let you tweet on the go. In order for the apps to work with Twitter, when you installed them you gave them your Twitter login credentials to work with your account. If you’ve tried a few Twitter apps on your phone, that means you’ve thrown your login credentials around, and you’ve willingly handed them over to developers you don’t know. If you want to see that first-hand, go to your settings page in your Twitter account and see how many Connections you’ve authorized. I have 16 apps/services I’ve authorized to tap into my private Twitter account, most of them mobile apps I’ve installed on Android (s goog) phones and the iPad (s aapl).

That’s just Twitter, though, so it can’t really impact me unless one of the developers who now has my credentials starts posting stuff that gets me in trouble. That would be bad enough, but nothing compared to the damage that could be caused if someone got my Gmail credentials. Guess what? I realize that not only do several people/organizations I don’t know have them, but I willingly handed them over.

I use Google Reader to follow RSS feeds, as do millions of you. I use apps on my iPad and phone to make working with Reader easier, and when I installed those apps, I duly input my Gmail login information. At the time it didn’t seem like a big deal, it was only RSS information, right? Unfortunately, once a third party has my Gmail login, they can tap any Google service as if they were me.

That leaves my email wide open to these people, which is scary enough, but that’s only the tip of the iceberg, as I use an Android phone. I install lots of apps on my phone from the Android Market, which is accessed using the same Gmail credentials. Even worse, the Market is set up to use my personal credit card to pay for apps, and Google Checkout is accessed through those same credentials. Now you begin to see the scope of the potential problem.

Now I’m sure the one app developer whose app I use on the phone is a good person and won’t take advantage of my information. The problem is I didn’t do that just once; I did it multiple times. I tried several RSS reader apps on my iPad, and input my login information to every one of them. I did the same thing on my Android phone until settling on the app I like. I figure there must be 7 or 8 parties who now have my Google login credentials. I thought I was conscious of security as a rule, so this realization floors me.

I immediately changed my various login credentials, and I strongly urge you to do so right now. Then you have to make a decision if these apps are worth giving the new login information. At the very least, pick the most trustworthy app and stick to that one. Limit your exposure as best you can.

Image credit: Flickr user matsukawa1971

Related content from GigaOM Pro (sub req’d):

10 Comments

Al Isiam

Ahh, but this is what OAuth aims to solve. In the following link the author uses the analogy of your car’s valet key (yours, not mine, because my car is too cheap for one). Instead of giving your full functioning key to the valet, you give them the limited function key. For this discussion, that means your using a token and trusted services instead of your full ID an PW. The analogy is not perfect but it is very good. Check it out: http://hueniverse.com/oauth/

NOTE: Those familiar with OAuth, you will flame that it is not secure. And v1.0 does have a vulnerability that can be exploited. Still the idea is still sound and work is underway to address the security issues.

Tal

no app is using my gmail account. none. if i have to, i have an alternative gmail to use. kind of basic my dear Watson.

Jack C

Entering your login information into an app doesn’t mean that the app itself is receiving your credentials. Installing software on your phone is just like installing software on your PC.

Noil

while technically true, it doesnt mean thats its not collecting your info either. point being, you should NEVER give any 3rd party app your gmail password. what if you do your banking through email? how about paypal? how about having your financial passwords reset with the new pass sent to your email so the crook can then access it? at the very least you should only use apps that rely on Oauth.

what i wonder is, if apps installed on Android that have nothing to do with Google services can still gain access to your Gmail password? it seems unlikely as Google would probably have measures in places to make giving out your Gmail password a user action only. but if not, imagine how easy it would be for a crook to submit a fake app to the market to harvest passwords & then access email accounts looking for financial info.

Ken

While I sympathize with the safety concerns relating to software an/or services that are “free”, paying few dollars for an application is no guarantee that the company or person that you are dealing with is any more reputable. Unfortunately, until this becomes a problem for the carriers (as credit card fraud has for banks), I do not expect much to change. I think that discrete passwords is probably one of the easiest precautions from any extensive damage.

–Ken

Steve

The first and best thing you can do is to avoid things by google. Thats the biggest step towards safety you can do. Then, use multiple passwords and as you say, minimize the amount of services and apps you use.

Don’t trust things that are for free. Those are the most expensive.

Stuart

Your commentary made the think that most people have no idea what is going on when they use a smartphone. They read the consent policies before installing apps as much as they read the End User License Agreements on software. I see it just getting murkier as people trust more and more very important information to “free services” instead of being willing to pay a small amount for real support and security.

Ricky Cadden

What’s worse is if you use the same password all over the place – which I’ve done in the past. Once someone gets a password for one service, the first thing they do is change it, then try out your username/password combo on a bunch of different sites.

Comments are closed.