Gallery

How far can we trust apps?

Posted on 27 Oct 2009 at 14:25

Davey Winder wonders if we trust apps and web services a little more than we should

I had an interesting email exchange with a reader recently about his Twitter account. He’d read warnings about giving his login details to companies that claimed to increase his followers, so just who could he trust with this information?

My kneejerk response is absolutely nobody, but then I could only access Twitter using the default client – but I did trust Twittelator Pro, the iPhone app I use to access Twitter when away from my desk. Giving it my trust diluted the implied security of my login by a percentage point every time, but I decided to do it based on its reputation (the wisdom-of-crowds approach) and how much value I get from the product.

Those of us “early adopters” who have been exposed to technology for far too long tend not to apply such pro and con analysis often enough. We see a new iPhone app that promises to make life easier and install it, handing over login information without a thought. Or some new web service that might bring order to our chaotic life and, bingo! We do it again.

I wouldn’t hand out my online bank login to anyone, no matter what the app promised to add to my banking experience

All of us – but, perhaps, we PC pros more than most – need to consider such actions with a little more rigour. For example, I wouldn’t hand out my online bank login to anyone, no matter what the app promised to add to my banking experience, at least not unless it was directly recommended to me by the bank itself as a trusted partner.

But perhaps this example is too clear-cut: what about giving up your mobile phone account login to get an app that enables you to glance at details of your account status, text allowance, minutes used, running totals and so on, on your phone? This is pretty damn useful for an iPhone user, but surely people would think twice before entering login data that could potentially allow someone to change their personal details, upgrade accounts and the like?

Michael McNeela should know, as he’s the developer of just such an application – Mobile Allowance – which, as I write, is zooming up the App Store charts. I asked Michael if he has many people contact him about security before entering their O2 account login details, since there’s no mention of data security either in the App Store description or when you start the application itself.

Do people care about their data?

Surprisingly, the answer is no – Michael tells me he gets “almost no queries about the security of the app or where their details are going”, around one question for every 10,000 new users. It would seem that the average user simply trusts third-party applications with this kind of login data, and the one out of 10,000 who don’t, says Michael, tend to be “very critical of both me and the app”.

Personally, I think that all developers of third-party apps for iPhone, web browser or desktop should make it clear what security measures are in place, and have a privacy policy to view when installing their programs.

Michael tells me that his Mobile Allowance app “talks to the O2 website directly via an encrypted connection, and so login details are stored locally on the device using the standard iPhone SDK storage mechanism” – meaning that users’ details never reach him at all.

He admits it isn’t ideal, that he’d prefer “some form of certification being presented. Issued by the integrated website/service in question, Twitter certification for example, similar to what Skype does for hardware.”

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site