Beware Hidden App Access
Beware Hidden App Access
Mobile and web applications can usually only do what you let them do. But, often for convenience sake, we let them do too much.
Join the DZone community and get the full member experience.Join For Free
Learning by doing is more effective than learning by watching - that’s why Codebashing offers a hands-on interactive training platform in 10 major programming languages. Learn more about AppSec training for enterprise developers.
Look, I love Facebook. Not enough to use my real name on my account there, mind you, because I don’t trust the idea of sharing my real name and my real birthday on the same social media site. That opens you up to information mining and possible identity theft. But I do love social media interaction, and I think a lot of columnists are absolutely wrong about only being able to maintain 150 friendships.
So now that I’ve established myself as a lover of FB and social media, may I ask that you all please carefully consider which additional new and (worse) seldom-used applications that you grant permission to “Log On with Facebook?” (Or Google+, or Twitter – I’m not just targeting any one federated login mechanism).
For sheer convenience, a lot of people do it in lieu of creating a new username/password combo or even using a “Spamdump” email/password. Why? It’s a pain to constantly type in an email address and password, especially on the tiny little phone letters and numbers. I get that.
These apps which use your FB or Google account login information don’t have the ability to change your password. They merely check with FB, which then generates a token for the use of this app. I like to think of it as the difference between the badge for my office and the building key. The key can get people into the hallways, but only my badge and fingerprint can get you into my office.
But you really need to go through and chuck out extraneous apps from your permissions now and again. Today’s Twitter Counter hack is an excellent demonstration of how third-party apps use the tokens from your main identity. Twitter Counter and Twitter both have identified the issue and dealt with it; which one presumes means changing permissions, updating both the authentication and authorization protocols regarding how much they share and how they communicate, and possibly other application security measures.
Here’s a quick How To reminder for the main three social media sites I use:
Facebook: Click on the question mark drop-down menu and select Privacy Check-Up. Go to the left-hand rail (rr on the web, Next) and select Apps. With Facebook especially, plenty of these apps may have read-only access to your data, so they can look but not touch. Still, get rid of anything you don’t use regularly, and especially things you authorized and forgot about. Also for the love of little blue fishes, please don’t let anyone see your birthdate – let it be Month DAY only, not including year. Additionally, lock it to Friends only.
Twitter: Click on your avatar circle on the top right, next to the “Tweet” button, and select Settings and privacy. Look at the list on the left side, under your name and avatar, and click Apps. Click Revoke Access for all outdated or unused as per above.
Google: Google makes it easy with the Security Checkup, which runs through your app permissions, app-specific passwords, connected devices, and other points of vulnerability for your account. Click here to do it now and clean out all the accumulated detritus.
Published at DZone with permission of Jeannie Warner , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.