Join 3,572 readers in helping fund MetaFilter (Hide)


Can I trust 3rd-party apps with login info?
June 15, 2011 1:02 PM   Subscribe

Can I trust apps on my computer or phone with email login information?

I have recently gotten hooked on Google Reader, and I've noticed a few apps that have come out that work with it on both the iPhone and the Mac. In particular, I was just looking at the Reeder app on the Mac. However, one thing isn't quite clear to me -- how do these apps use my login information?

I am extremely hesitant to provide my main Gmail login information to some 3rd-party app like Reeder, Sparrow, etc, but perhaps I am just misunderstanding how these types of things work.

I realize I could set up a separate account just for Google Reader if I was paranoid, but that would be a hassle I would like to avoid if possible (as I have lots of things starred, linked, shared, etc). Do these apps store or transmit this information? In the era of uber-simplified 2.0 websites, it is hard to find information on how these things work beyond screenshots. Is there danger of a Sony-style hack situation for an app like this?
posted by This_Will_Be_Good to Technology (12 answers total) 8 users marked this as a favorite
 
Yes, this is a concern.

If you use 2-factor authentication for Gmail then there's a system where each app gets its own password which is random & different from your main password and these passwords can be revoked individually.

Gmail application-specific passwords in the Gmail help center.
posted by GuyZero at 1:05 PM on June 15, 2011 [2 favorites]


If this worries you, sign up for Google's two-factor authentication (activate here). It allows you to set application specific passwords (from link 1: You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.)
posted by babby╩╝); Drop table users; -- at 1:07 PM on June 15, 2011 [1 favorite]


So, it isn't the case that the information is only stored locally on the phone or computer, and then transmitted in some encrypted way?

That two-factor authentication just might be the solution. I have that for a bank account I use on a little dongle-thingy -- it's a bit annoying to have to fish that out whenever I want to log in, but the idea that I can have it on my cell instead (which is pretty much glued to my side) is much more convenient. Is there a way to use an application specific password, without having to use that two-factor authentication when I log into my email (I feel like I log into my email on the web a lot -- maybe I am getting now confused with several years ago however)?
posted by This_Will_Be_Good at 1:14 PM on June 15, 2011


No, apps see a regular password that they store however they normally do and transmit in the clear (or maybe over HTTPS) but it's not your actual account password.

As for logging into webmail, there's a little checkbox where you can approve a browser to log you in without the second factor for 30 days. So I only have to type in my second factor code once a month at home.
posted by GuyZero at 1:27 PM on June 15, 2011


Ok -- I have gone through and set this up, and it is a lot easier than I thought. That 30-day checkbox will make this a lot less cumbersome than I thought, and the little authentication app on the iphone is very Bourne/Spy cool.

One final thing I am curious about though, is how the application-specific password works then. Let's say I provide that app-specific password to a desktop RSS reader application, if someone were to gain access to that then they would only be able to log into Reader? Or could they then use that to access gmail? I'm not quite sure how it helps?
posted by This_Will_Be_Good at 2:58 PM on June 15, 2011


They can use that password with any app but in the password management UI you can revoke the passwords at any time. So the idea is that if you think the reader app is doing something odd, you just kill that password and the app is cut off. Or if you lose your phone (heaven forbid) you kill the phone's app-specific password and the phone is now cut off from your email, etc.

But the app specific passwords grant access to everything.
posted by GuyZero at 3:24 PM on June 15, 2011


But the app specific passwords grant access to everything.

This is incorrect. The app specific passwords only work with google services that do not support two factor authentication. If you try to login to gmail with an app specific password you will get an error message telling you to use your regular password.
posted by ridogi at 3:34 PM on June 15, 2011


well they work with everything in the sense that you don't specify what the app-specific password is used for. it could be used to get email, to access reader items, or for google talk.
posted by GuyZero at 3:36 PM on June 15, 2011


So, after using it for a day, I guess I still am a bit confused about the app-specific password. When I generate one, I am just generating a random password -- it isn't restricted to any particular use when I generate it as I am typing a random nickname. It's not like I say this will be a Google-Reader-only password, I am just generating one password and using it one time in any way I want. Hypothetically, if someone were able to copy that down before I was able to type it into whatever app I wanted, they could use it for any application.

So, if I generate one of these app-specific passwords and use it for the Reeder application, and someone was able to hack Reeder for whatever reason and get it -- would they be able to use it to open gmail? Or would Google say, "hey, this should only be coming from the Google Reeder app installed on iPhone X for User Y"!! I'm not really super-paranoid about all this, I just want to understand how this all works, and whether it is worth the time.
posted by This_Will_Be_Good at 10:03 AM on June 16, 2011


Yes, my understanding is that if someone grabbed your reader password it could be used to access gmail, but if you they wouldn't be able to use it to change your master password and you could yank the app-specific password independently.
posted by GuyZero at 10:24 AM on June 16, 2011


Ahhh, that makes sense now -- I think after a bit more fiddling, I can see how that would work. When you log into gmail on the web, you use the two-factor authentication, and then you are into your account and work with your account settings.

If I generate an app-specific password, I can use that to log into my gmail as well from a mail client or an RSS reader or whatnot, but I can't go into my Google Account settings and hack everything to shreds. Yes, someone could take it and read your mail or whatnot, but you could always kill off that password if you though something was going haywire.

I then just tried to generate another app-specific password and just log into gmail on a browser, and that would not work. So, it looks like these work for accessing your mail, calendars, or whatever -- but they won't get you onto your Google Account page on the web to muck things up. You need to use the two-factor authentication to make big changes, and you reserve the right to revoke those passwords if you sense something is wrong.
posted by This_Will_Be_Good at 11:57 AM on June 16, 2011


And, if anyone else is reviewing this -- one nice thing about setting this up is that it shows you what applications you have authorized to have access to your passwords. Well, one of those applications in mine was Google Latitude. I have done EVERYTHING possible to get rid of all traces of Google Latitude. Deleted it from my phone. Tried to get rid of it in dashboard. And on and on. Well, here it was again. So, I revoked that access - I don't know where I ever approved it, but it's nice to know it MIGHT be gone.
posted by This_Will_Be_Good at 11:59 AM on June 16, 2011


« Older Have you ever attended group p...   |  Is there a site, similar to St... Newer »
This thread is closed to new comments.