Signing out of Google Account
March 30, 2023 7:41 AM   Subscribe

Yesterday my phone was dying so on my boyfriend's phone, I signed into an app using my Google Account. I felt uncomfortable doing it but it was the Too Good to Go app and we were going to pick up food imminently. He kind of pressured me to do it so I just did, he definitely didn't have any nefarious plans, he just wanted us to be able to collect the food.

Today, he messaged me suddenly saying that my calendar had appeared on his phone. I immediately told him to log out of the app and I also signed into my Google Account and logged out of his device.

However a message came up saying I had given some apps third party permissions and that the device might still have access. One of those things was Chrome Webview.

I'm so paranoid that he will be able to access my Google searches or history....some of which is about him. Ugh I feel so angry that I didn't listen to my gut instinct and not do it? I don't know if this is reasonable but I'm feeling enraged with him for forcing me to do it and then just casually informing me he had access to my calendar.

Does anyone here know whether I am now safe from him being able to view any of my stuff?
posted by Sunflower88 to Technology (16 answers total) 5 users marked this as a favorite
 
Response by poster: Just to add that I didn't realise that by signing in via an app, that my entire Google Account would then become available on his phone. He could potentially have access to my Google Drive etc.
posted by Sunflower88 at 7:50 AM on March 30, 2023


It’s ok, don’t panic! Go into your account and remove permissions and change the password. You should be able to force log out all devices when you change the password. Also, good news is he immediately told you that it was showing up in his calendar instead of snooping.
posted by Bottlecap at 7:56 AM on March 30, 2023 [13 favorites]


Have you gone through this page to log him out of your account on his phone? It's hard to tell from what you've written above. There's also this page which shows you how to manage third-party app access to your account.
posted by sagc at 7:56 AM on March 30, 2023 [3 favorites]


Response by poster: @sagc - yes I've now done both those things. I've logged out of his device completely and I removed third party access specifically from the Too Good to Go app.
posted by Sunflower88 at 8:01 AM on March 30, 2023 [3 favorites]


The fact that he let you know promptly suggests he's quite trustworthy, which is nice. But google access is so powerful that you were quite right to delete it promptly. I understand the panic, but I think once the adrenaline is done, you can see it clearly.
posted by theora55 at 8:51 AM on March 30, 2023 [12 favorites]


It sounds like the Google part of your question is resolved. So I wanted to comment on the "I felt uncomfortable doing it" part.

From time to time, I've let people pressure me into doing things that they thought were minor but that ended up having consequences. For example, I once showed up with a couple friends to help someone move a massive massive TV out of her basement and then the person whose TV it was left us alone and wandered off to go hang out with someone! It was a 4-person lift and I knew it. I wanted to leave. One of the friends I brought with me pressured me into trying to move it anyway. I injured my wrist. That was like 10 years ago. I still have that injury today.

Sometimes your gut knows things that your brain doesn't have the words to advocate for. So it's important to be able to say no to pressure, even when you're both sure the other person is being reasonable. Take some time now to identify that gut feeling in yourself, so that you can recognize it more easily when you feel it again.
posted by aniola at 9:10 AM on March 30, 2023 [12 favorites]


The formula I use for this is "No, that's not a thing that I do."

"How come?"

"It's not a thing that I do."

"But why not?"

"Because it's not a thing that I do."

"For what reason?"

"It's not a thing that I do." (looking at them as if I'm starting to wonder if they're slightly dim)

"Oh come on, just this once, what's the harm?"

"No, that's not a thing that I do."

"You're being completely unreasonable about this."

"Well, it's not a thing that I do."

It's a variant of the Broken Record parenting technique and it works extremely well. There is simply no way for the other party to force the conversation to progress to where they want it to.
posted by flabdablet at 10:09 AM on March 30, 2023 [9 favorites]


Response by poster: Thanks all.

He is still logged in as me on the Too Good To Go app and he's acting like we should leave it that way.

Why is he still logged in as me on the app?
posted by Sunflower88 at 10:45 AM on March 30, 2023


Oh, and in case it wasn't obvious: sharing credentials for any of my accounts with other people or their devices is not a thing that I do. I did it once. The consequences for me were much as they currently are for you. So now, that's not a thing that I do.

Every near miss has something to teach us.
posted by flabdablet at 10:45 AM on March 30, 2023 [4 favorites]


He is still logged in as me on the Too Good To Go app

Does that app show up as something you can remove at myaccount.google.com/permissions?

If it does and you remove it, or if it doesn't because you've already removed it, then the Too Good To Go app will not be able to do anything with your Google account beyond using it purely to establish its own idea of an identity for you, and any attempt it makes to do so should just fail.

If boyfriend wants TGTG to work on his phone after you've done that and the authentication stuff works the way I think it does, then his only workable option will be to sign out and create his own TGTG identity on his own phone via his own Google account. Which is what he should just have done in the first place instead of arguing with you.

Why is he still logged in as me on the app?

Again if this stuff works the way I believe it does, this probably means that the app has not yet tried to use your Google identity for anything other than local display purposes since you removed it from your account. If he tries to use it to place or pick up an order, I would expect him to start seeing error messages that he'll only be able to resolve by logging out.
posted by flabdablet at 11:13 AM on March 30, 2023 [7 favorites]


By the way, the kind of experience you're currently having is why signing into things with my Google Account is also not a thing that I do.

I strongly resist using online services that offer no provision for creating a specific username and password for use with the service itself but instead insist on piggybacking on an identity I've already established with some other service.

If a service is compellingly good apart from forcing this kind of piggybacking, I'll set up a separate Google (or whatever) account specifically for use with only that service. I keep track of all this shit in a KeePass database file that I use via KeePassXC on desktop and KeePassDroid and Dropbox on my phone.

Single sign-on is a fucking scourge. Any convenience it appears to offer is almost always immediately negated by privacy intrusions of one sort or another.
posted by flabdablet at 11:32 AM on March 30, 2023 [9 favorites]


You should be able to find out exactly what will happen on boyfriend's phone by logging into TGTG on your own phone using your own Google credentials, verifying that it works, then using Google's permissions page to remove TGTG from your Google account again.

If I'm not steering you wrong, then what you should see is that the TGTG app on your phone still seems to be logged in as you, but won't actually work properly until you log out and log in again.

What's happening under the hood in this kind of case is that the app's logon procedure issues an authentication request to Google, which causes some kind of web page to pop up on your device telling you that a service named such-and-such is asking for access thus-and-so.

If you okay that popup, then Google hands the app a unique authentication token: essentially just a random number, but with enough digits to make the chance of the same number emerging from any other random number generator before the heat death of the Universe essentially zero.

The app can then present that token when it wants access to the Google facilities you told Google it could have. And if Google still has that token on file, it can check the list of authorized facilities associated with it and decide whether or not to allow that access.

Removing an app using Google's permissions page just makes Google forget any token issued to that app. So when the app next tries to use its token, it's now just a random number; Google can't find any record of it and it doesn't work.

But until the app does try to use the now-revoked authentication token, it's not going to find out that it doesn't work, and it will continue to show your Google account as the thing it's currently logged into.
posted by flabdablet at 12:22 PM on March 30, 2023 [1 favorite]


"He kind of pressured me to do it". Red flag. Just say no, always.
posted by amfgf at 2:03 PM on March 30, 2023


Why is he still logged in as me on the app?

Trying to understand your question here. Is it a relationship question or a technical question?
posted by aniola at 7:59 PM on March 30, 2023


Even if it is a relationship question, it's worth looking at the situation through the lens of the Hierarchy of Controls.

Having one of your accounts signed in on a device you don't control is a hazard. The quality of the relationship with the owner of that device affects the risk associated with that hazard, but doesn't change its nature as a hazard.

As long as there remain legitimate uses for multiple devices concurrently signed into the same user account, there's no way to eliminate that hazard entirely.

Requiring that the other device's owner take action to remove that hazard amounts to applying an administrative control.

Forcibly removing it yourself by using the facilities designed into user accounts to do exactly that amounts to applying an engineering control. Engineering controls are more effective than administrative controls, and practising their use is therefore preferable regardless of relationship quality.

My own refusal to play the single-sign-on game at all amounts to substitution of the hazard presently under discussion with a lesser version, which is more effective again.
posted by flabdablet at 2:58 AM on March 31, 2023 [3 favorites]


Response by poster: Not a relationship question, a technical question.

I think you guys have adequately explained it though, so thank you all!
posted by Sunflower88 at 3:31 AM on March 31, 2023 [2 favorites]


« Older Still masking at work, which is a problem for one...   |   Summer camps for trans kids in the New England... Newer »
This thread is closed to new comments.