Apps stealing passwords and personal info?

Discussion in 'iOS Apps' started by goombamd, Mar 31, 2011.

  1. goombamd macrumors member

    Joined:
    Apr 18, 2010
    #1
    Just wondering if apple allows developers access to information collected by their app? Does anyone know?

    For example, if I use a gmail task manager app...does that developer have access to my gmail login info?
    What about Facebook app? Do they have access to my login info?

    Can apps developers access info end users enter into them, I guess is the question. Ther's no little snitch like features for iOS that tell you if it's communicating with outside
     
  2. goombamd thread starter macrumors member

    Joined:
    Apr 18, 2010
    #2
    So I just called apple to check
    They do not screen apps for spyware and said I would have to simply ask the developer if they steal my password... Of course they worded it nicer, but that seems a bit scary.

    I guess bottom line is don't use apps that access your gmail unless they use oAuth technology. Otherwise developer can easily access your info or email themselves your login credentials. When the dev is a 16 yo from another country, it's just a little less trustworthy with important info like email access
     
  3. goMac macrumors 603

    Joined:
    Apr 15, 2004
    #3
    Yes.

    Yes.

    How are developers supposed to connect to these services without your login info? Facebook needs your username/password to connect to Facebook. How would Facebook log you in without your login info?

    : scratches head :
     
  4. Atothendrew24 macrumors member

    Joined:
    Jun 30, 2010
    Location:
    Arizona
    #4
    Don't be so paranoid. I'm a developer and I can tell you that your personal information is of no value to us. Like goMac said above, we just need it to log you in to different services that you allow us to use.
     
  5. TheWheelMan macrumors 6502a

    TheWheelMan

    Joined:
    Mar 15, 2011
    #5
    Sorta like asking the maid if she needs a key to go clean your house while you're at work. You should only be worried if her answer is "No." :D
     
  6. Polekat macrumors regular

    Polekat

    Joined:
    Jul 13, 2010
    #6
    So, bankin apps are only ones to be leery about. ie Mint
     
  7. goombamd thread starter macrumors member

    Joined:
    Apr 18, 2010
    #7
    Exactly

    You asked how they are supposed to access your info for the app to work? It's called oAuth ... It's available for many of googles services as well as twitter Facebook etc.

    Basically the app asks for a "token" from google that is generated when the user logs in THRU google. The user can then deactivate the token if they no longer wish to provide apps with access

    Email address password is actually more of a security breach than banks,etc. You can retrieve banking info w a user's primary address. Need dob? Login to Facebook... Etc
     
  8. goMac macrumors 603

    Joined:
    Apr 15, 2004
    #8
    ...how do you think they're going to save your info to send to oAuth?

    At some point they have to get your user/pass to send to oAuth.

    How do they send Google your user name and password without actually getting it from you? Again, at some point, the app has to touch your user name and password.

    And the token, which they also save, is just as good as your user name and password.

    Any way you cut it, an application has to get a token or a user/pass at some point that would let it have full access to your account.

    oAuth doesn't protect the way you seem to think it does. It still gives an app the information it needs to do anything. It's only a system that allows you to have shared login to all your sites. It's not a security system.

    (Note: I am a developer that, among many other things, works with web services)
     
  9. goombamd, Mar 31, 2011
    Last edited: Mar 31, 2011

    goombamd thread starter macrumors member

    Joined:
    Apr 18, 2010
    #9
    no no.. the app directs you to safari (is one way it's done), and you log directly into google. Then google sends the token to the app and gives it access to the information requested. e.g. a photo editing app gets access to your picasa albums, but not your email, calendar, etc.; a calendar app gets access to your calendar but not your personal photos or your google docs, etc.

    Then, from google, you can disable the app's access to the already limited access...

    in other words, the app has access via a token until you turn the token off.


    From: http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-i-overview/

    "OAuth allows you to share your private resources (photos, videos, contact list, bank accounts) stored on one site with another site without having to hand out your username and password. There are many reasons why one should not share their private credentials. Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay. Any restaurant asking for your PIN code will go out of business, but when it comes to the web, users put themselves at risk sharing the same private information. OAuth to the rescue."
     

Share This Page