Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Privacy Protection for Handheld App Webpage Access?

Cliff posted more than 8 years ago

12

Prof. Jonathan Ezor, Touro Law Center asks: "Is anyone using a third-party application on a Treo, Blackberry or other handheld to access login-protected Internet resources such as eBay, satellite radio services, and the like? (I'm thinking of programs like Abidia or MiniXM.) If so, have you thought at all about who might be running those services, and who is getting access to your login information via the service in addition to the site you want to access? If this does concern you, what have you done about it?"

cancel ×

12 comments

Sorry! There are no comments related to the filter you selected.

nope (0)

Anonymous Coward | more than 8 years ago | (#15031943)

I prefer to have my network connections to be of the wired variety.

duh (0, Troll)

black mariah (654971) | more than 8 years ago | (#15031994)

Do you also worry about who is handling your login information on every website you ever visit? No? Then shut up and quit being fucking paranoid.

Not only handhelds (3, Informative)

Baricom (763970) | more than 8 years ago | (#15032033)

I'd like to mention that limiting the argument to handhelds only does something of a disservice to the community. There are many applications on desktop and notebook PCs that require login information from various web sites to do their job.

The problem is not really the software, but rather the web services. It would make more sense for the web services to give out disposable access tokens than to require users to give their account information to untrusted programs. Yahoo! [yahoo.com] is sort of using this approach with their developer IDs. If they added the ability to remove existing IDs, you'd have a fairly secure system to authenticate to web services via third-party programs, which wouldn't require that much additional effort or infrastructure.

Re:Not only handhelds (3, Informative)

lisaparratt (752068) | more than 8 years ago | (#15032201)

The problem is more prevalent with hand held mobile apps because they tend to use a third party server as a man in the middle. If this machine stores your authentication information, then it'll prove a juicy target for crackers.

Answers the questions, in full. (1, Informative)

Anonymous Coward | more than 8 years ago | (#15032075)

No. Yes. I have decided not to use those devices as such.

Ask, and then evaluate (4, Informative)

Barrellina (922837) | more than 8 years ago | (#15032106)

Baricom's post about webservice authentication is valid. Be that as it may, the current implementations are lacking, so you're generally still stuck with third-party apps sending your credentials around.

The same due dilligence is required for mobile apps as for desktop apps that act as service "proxies". One would assume the mobile apps in question just store your credentials locally on the device, and only send them to the online service for authentication when required (via http(s)... sometimes via webservice, sometimes with straight-up post and get requests). Also, back-to-base communication in such apps tends to be common... looking for new versions, etc... which looks like where your concerns may lie - what, if anything, is being sent back to this middle-man company? (I assume that's what we're talking about, and not a designed-for-mobile-website that works in a similar way.)

With desktop apps that do this sort of stuff, you tend to have the benefit of a reasonably large community that will pounce on any dodgy behaviour present in the apps. There are usually always savvy users using all sorts of utilities that can expose dodgy behaviour. You may not have this kind of luxury with mobile apps at the moment.

But common sense should help a lot. Asking really helps, too.

For commercial apps, I would just contact the company directly and ask what, if anything, gets sent back-to-base or if the app has any phone-home behaviour at all. If you don't trust the vendor all that much, but are unable to choose an alternative application for whatever reason, then you could always evaluate the app in an emulator on a desktop PC and check whether it's just contacting the service (eBay or whatever), or if it's also trying to contact the vendor.

Open source mobile apps make the source-code available as well (obviously... sorry for the redundancy). If you're not into trawling through the source (or if it's using a platform/framework/language/etc that you're not too familiar with) then it should be fairly easy to contact the development team directly and ask them the simple "does it phone-home?" question.

So, I'd ask first, and then verify the expected behaviour by running it in an emulator, and logging it's network requests. If there's a mobile firewall product (a ZoneAlarm equivalent... others will have their favourites) that can prompt on connection requests, that'd be neat - you could deny the unexpected ones.

Opera Mini (4, Informative)

Dienyddio (161154) | more than 8 years ago | (#15032249)

This is a wonderful tool, possably the best web browser availabe for the j2me platform but has a hefty EULA which is well worth reading.

Opera mini works through a proxy which will crunch down web pages to make them more palatable for a mobile device, however you now have a proxy which has full access to every page you navigate and will store all of your passwords.

This is all clearly noted in the EULA but if, as most people will, you just accept without thinking you may not be aware of this. I had a brief trawl of the opera website looking to see if i could find the EULA to post an example but could not find the text of this agreement. This worries me as the only time i have found you can view this agreement is on the hanset the first time you connect to the service (yes opera now have detail of your handset before you agree to the EULA).

Opera makes all the right noises are made about privacy and to be honest this browser is just too good not to use but there is no way in hell i'd use it for anything that requires an iota of security.

Re:Opera Mini (1)

kevlar (13509) | more than 8 years ago | (#15032351)

...Or, you can use a device that is capable of browsing real world websites, such as IE Mobile on a smartphone or pocketpc. It has limitations of course, such as layout problems, but I can almost always work around those by selecting a different layout to display the page in.

Re:Opera Mini (1)

DrSkwid (118965) | more than 8 years ago | (#15033491)

Good idea, I will switch to I.E. Mobile for all my web security needs, what could possibly go wrong !

One more rhing, where can I download this modern marvel for Symbian ?

Re:Opera Mini (1)

tlhIngan (30335) | more than 8 years ago | (#15034341)

Opera (full version) is available for Symbian UIQ and Symbian Series-60 devices... it's on their web page. (I believe the UIQ version is free for SonyEriccson phones).

This isn't a mini version, but a full blown one that renders locally. It shows how inadequate my phone is (16MB RAM, 146MHz CPU) for browsing the web - anything more than a few anigifs, javascripts, or full sized images and the phone slows to a crawl. Toss in Java applets and you've got a battery sucker as the CPU gets pegged at 100%.

(That said, it's one of the few that can view PNGs correctly...).

Re:Opera Mini (1)

Dienyddio (161154) | more than 8 years ago | (#15034176)

It's great to know that you have a mobile device with the horsepower to give you a secure and robust solution where you can rely that the software on your PocketPC is the only entity which is processing the data you receive.

That's all well and good if you have a device capable of running in this way but this article is about proxy services and if you trust the company running the service with your private data.

Opera provides a service (an excelent service IMO) unfortunately in order to make this service work all of your sensitive data is logged on the opera servers. It is the ultimate man in the middle attack. Opera is clear on the issue of how it will use this data but people may not be aware of this. Personally I would be much happier if this was fully disclosed on their site before you downloaded the midlet. Indeed any program that works in this way should have a clear policy on the data they collect and hold.

The question as posed in the article is one of trust.

Having never used Abidia or MiniXM i can only comment on a service i have used that falls into the same category. Do these services have a clear privacy statement? Do you trust the companies that run these services?

Opera does and still i wouldn't trust them as far as i could throw them and only use opera mini to google the odd thing because it is fast and pretty :-)
This is not a comment on Opera or any other company but my own paranoia which makes me very twitchy about giving out sensitive data.

Thanks, all (1)

jezor (51922) | more than 8 years ago | (#15034972)

I appreciate your comments. Please forward my query to anyone else whom you think might have some insight. {Jonathan}
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>