How far can we trust apps?
Posted on 27 Oct 2009 at 14:25
Davey Winder wonders if we trust apps and web services a little more than we should
While waiting for companies to adopt such initiatives, if they ever do, it will, he says, “be up to the user to decide who to trust for the foreseeable future”.
I find it useful to think about this in terms of US-style valet parking. Many luxury cars now come with a valet key as well as the regular key: give the parking guy the valet key and he can drive the car only for a mile or so, can’t open the boot, or use many of the in-car functions such as the mobile phone.
The valet gets restricted access to the vehicle using a special key in order to perform a particular function on your behalf, while you keep the real key that unlocks everything. Isn’t a valet key just what’s needed in the world of third-party applications that access online services? I believe it is, and so do the people who are providing such a key via "the OAuth project, an open protocol that allows secure and standardised API authorisation from desktop and web applications.
Isn’t a valet key just what’s needed in the world of third-party applications that access online services?
OAuth got off the ground at the back end of 2006 during ongoing work on an OpenID implementation for Twitter. Several developers got together to discuss the possibility of using OpenID alongside the Twitter API to delegate authentication, and discovered that there wasn’t any open standard for such API access delegation.
Fast-forward to the middle of 2007 when Google got interested in the idea, and the final draft for the OAuth Core 1 was released by the end of the same year. The main protocol has now been finalised, libraries are available for platforms including PHP, .NET and C, and OAuth is being implemented by the likes of Twitter, which is good news.
It means that if an application’s developer supports it, you can securely exchange authorisation data between its application and a web service without exposing your login information to the third-party developer at all. The OAuth key is a token that grants access to a particular site in order to use particular resources for a particular period of time.
I can therefore use an application that requires access to my Twitter account, safe in the knowledge that said application won’t store my login data on its servers and add another layer of insecurity to the privacy onion.
I like the simplicity of OAuth – as an end user all you need do is authorise a login via Twitter and let OAuth take care of the rest. More power to Twitter’s elbow for supporting it, and to Google, which supports it across all the Google Data APIs including Calendar, Blogger and Picasa Web Albums.
Of course, OAuth isn’t a magic bullet and cannot guarantee security or privacy: that depends on the implementation at the end of the day, so there’s still no getting away from the value of trust. But OAuth allows your trust to spread a little wider than it might without it.
Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site
From around the web
Data security with Lookeen
Great add-in for Outlook 2003, 2007 and 2010 is Lookeen.
With Lookeen you don`t need to be afraid of your data security.
Configuring, restricting and rollout – with the delivered Lookeen Group Policies you control the using of Lookeen as a system administrator along your company.
With the Lookeen Group Policies you are able to give employees access to sensible or confidential Outlook items, only if they are allowed to. Your IT department or an administrator could easily manage which employee is allowed to e.g. search with the add-in Lookeen on your Exchange Server, Public Folder or on your network and who’s not.
Even the indexing or searching of PST files could be centrally controlled with the Lookeen Group Policies.
Precise control with multi level access restrictions: You are able to allow an employee to index and find sensible or confidential Outlook items, but to restrict opening or displaying it. With the Lookeen Group Policies you will have your sensible Outlook data under control. The sync of your Exchange Servers will not be influenced.
By JudginD on 29 Nov 2009 
Data security with Lookeen
More Info? www.lookeen.net
By JudginD on 29 Nov 2009
Davey Winder
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
advertisement
- Why virtualisation hasn't slowed the growth of data
- How to make Google AdWords work for your business
- The curse of sloppily written software
- Paying for your crimes with Bitcoin
- Behind the scenes: tech support for Formula 1
- The security risk of fat fingers
- Why Windows Phone 7 isn't quite ready for business
- When will Microsoft stop fiddling with Windows 8?
- Flash down the pan?
- Metro Style apps vs desktop applications
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- VeriSign slammed for security breach cover-up
- SAP willing to share HANA with Oracle
- Why using a tablet could harm your health
- New RIM boss: no need for drastic change
- RIM founders fall on their swords
- Slow economy helps boost Red Hat revenue by 23%
- Google+ pages get multiple admins
- One in five companies lack card industry compliance
- Oil industry warns hacking attacks could kill
- British workers fear email monitoring
advertisement
Printed from www.pcpro.co.uk