Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Privacy Protection for Handheld App Webpage Access? 12

Posted by Cliff
Prof. Jonathan Ezor, Touro Law Center asks: "Is anyone using a third-party application on a Treo, Blackberry or other handheld to access login-protected Internet resources such as eBay, satellite radio services, and the like? (I'm thinking of programs like Abidia or MiniXM.) If so, have you thought at all about who might be running those services, and who is getting access to your login information via the service in addition to the site you want to access? If this does concern you, what have you done about it?"
This discussion has been archived. No new comments can be posted.

Privacy Protection for Handheld App Webpage Access?

Comments Filter:
  • Not only handhelds (Score:4, Informative)

    by Baricom (763970) on Friday March 31, 2006 @12:27AM (#15032033)
    I'd like to mention that limiting the argument to handhelds only does something of a disservice to the community. There are many applications on desktop and notebook PCs that require login information from various web sites to do their job.

    The problem is not really the software, but rather the web services. It would make more sense for the web services to give out disposable access tokens than to require users to give their account information to untrusted programs. Yahoo! [yahoo.com] is sort of using this approach with their developer IDs. If they added the ability to remove existing IDs, you'd have a fairly secure system to authenticate to web services via third-party programs, which wouldn't require that much additional effort or infrastructure.
  • by Anonymous Coward
    No. Yes. I have decided not to use those devices as such.
  • by Barrellina (922837) on Friday March 31, 2006 @12:51AM (#15032106)
    Baricom's post about webservice authentication is valid. Be that as it may, the current implementations are lacking, so you're generally still stuck with third-party apps sending your credentials around.

    The same due dilligence is required for mobile apps as for desktop apps that act as service "proxies". One would assume the mobile apps in question just store your credentials locally on the device, and only send them to the online service for authentication when required (via http(s)... sometimes via webservice, sometimes with straight-up post and get requests). Also, back-to-base communication in such apps tends to be common... looking for new versions, etc... which looks like where your concerns may lie - what, if anything, is being sent back to this middle-man company? (I assume that's what we're talking about, and not a designed-for-mobile-website that works in a similar way.)

    With desktop apps that do this sort of stuff, you tend to have the benefit of a reasonably large community that will pounce on any dodgy behaviour present in the apps. There are usually always savvy users using all sorts of utilities that can expose dodgy behaviour. You may not have this kind of luxury with mobile apps at the moment.

    But common sense should help a lot. Asking really helps, too.

    For commercial apps, I would just contact the company directly and ask what, if anything, gets sent back-to-base or if the app has any phone-home behaviour at all. If you don't trust the vendor all that much, but are unable to choose an alternative application for whatever reason, then you could always evaluate the app in an emulator on a desktop PC and check whether it's just contacting the service (eBay or whatever), or if it's also trying to contact the vendor.

    Open source mobile apps make the source-code available as well (obviously... sorry for the redundancy). If you're not into trawling through the source (or if it's using a platform/framework/language/etc that you're not too familiar with) then it should be fairly easy to contact the development team directly and ask them the simple "does it phone-home?" question.

    So, I'd ask first, and then verify the expected behaviour by running it in an emulator, and logging it's network requests. If there's a mobile firewall product (a ZoneAlarm equivalent... others will have their favourites) that can prompt on connection requests, that'd be neat - you could deny the unexpected ones.
  • Opera Mini (Score:4, Informative)

    by Dienyddio (161154) on Friday March 31, 2006 @01:54AM (#15032249)
    This is a wonderful tool, possably the best web browser availabe for the j2me platform but has a hefty EULA which is well worth reading.

    Opera mini works through a proxy which will crunch down web pages to make them more palatable for a mobile device, however you now have a proxy which has full access to every page you navigate and will store all of your passwords.

    This is all clearly noted in the EULA but if, as most people will, you just accept without thinking you may not be aware of this. I had a brief trawl of the opera website looking to see if i could find the EULA to post an example but could not find the text of this agreement. This worries me as the only time i have found you can view this agreement is on the hanset the first time you connect to the service (yes opera now have detail of your handset before you agree to the EULA).

    Opera makes all the right noises are made about privacy and to be honest this browser is just too good not to use but there is no way in hell i'd use it for anything that requires an iota of security.
    • ...Or, you can use a device that is capable of browsing real world websites, such as IE Mobile on a smartphone or pocketpc. It has limitations of course, such as layout problems, but I can almost always work around those by selecting a different layout to display the page in.
      • Good idea, I will switch to I.E. Mobile for all my web security needs, what could possibly go wrong !

        One more rhing, where can I download this modern marvel for Symbian ?
        • Opera (full version) is available for Symbian UIQ and Symbian Series-60 devices... it's on their web page. (I believe the UIQ version is free for SonyEriccson phones).

          This isn't a mini version, but a full blown one that renders locally. It shows how inadequate my phone is (16MB RAM, 146MHz CPU) for browsing the web - anything more than a few anigifs, javascripts, or full sized images and the phone slows to a crawl. Toss in Java applets and you've got a battery sucker as the CPU gets pegged at 100%.

          (That sai
      • It's great to know that you have a mobile device with the horsepower to give you a secure and robust solution where you can rely that the software on your PocketPC is the only entity which is processing the data you receive.

        That's all well and good if you have a device capable of running in this way but this article is about proxy services and if you trust the company running the service with your private data.

        Opera provides a service (an excelent service IMO) unfortunately in order to make this service wor
  • I appreciate your comments. Please forward my query to anyone else whom you think might have some insight. {Jonathan}

Memory fault -- brain fried

Working...