The single-click Google account login for Android apps is a little too convenient for hackers, according to Tripwire's Craig Young, who has demonstrated a flaw in the authentication method. The mechanism is called “weblogin”, and basically it allows users to use their Google account credentials as authentication for third-party …
There's that "3rd party" again
I like that my Android makes it easy-peasy to log in to my Google account just by turning it on, but I NEVER use my Google account to sign on to any websites OTHER than Google.
That's just stupid.
For you Facebroke users the same applies. Or any other social gimmicks you use. Never use that account to sign in to anywhere BUT that website.
And stop downloading every damn flashy app that comes along.
Apple's Walled garden seems rather attractive (not that it is without it's problems) but as I don't use either it is rather moot.
coat (not that I need one today) and I'm gone to avoid the plethora of downvotes.
I made the mistake of trusting Apple a few years back, first time I can recall someone stealing something on one of my credit cards but it was a valuable lesson in why it's a bad idea to leave financial details with these companies.
In other words I wouldn't put too much faith in Apple's walled garden, it was only recently we heard news of Apple having to take down their dev center and we've seen other examples of them failing to match their competitors in terms of infrastructure. That's not to say that I think they're especially good or bad at security merely that you can't truly rely on any company to always be secure.
Who says that it was Apple they hacked? if you have never used your card with anyone other than Apple then you can be guaranteed it was Apple. But if you used it anywhere else then there's no guarantee of how your details have been stored.
They might be stored, emailed or sent plain text for all you know. This is something that needs to dealt with by the data protection act. It probably already covers your name, address and phone number, but perhaps not credit card numbers?
The walled garden didn't help Mat Honan.
This has nothing to do with Android, but with the google websites
Of course it was Apple, the problem only occurred with the Apple account and the card itself I think I still use with issue. The surprising thing for me was they didn't seem interested in doing anything about it, they did unlock the account but had me contact my credit card company to sort out the money side of things rather than handle it directly.
There's other explanations of course, perhaps I was using an insecure password but considering this has only ever happened to me with Apple I'm inclined to suspect the fault lies with them but even if it was my fault in this case that doesn't detract from the other more visible issues I raised does it?
Is there any difference between this and someone copying a cookie from your web browser's cache?
Which is why, if I ever buy a paid Android application, I delete my credit card from the Google Wallet as soon as I've done so.
UKash, Paypal, and pre-paid debits cards are your friends.
Or, you know, Google Play vouchers.
two step verification..
You can then set up passwords on a PER SERVICE basis.,
it's not rocket science..
Re: two step verification..
It may not be rocket science but it is backward thinking.
Companies like Google have a legal responsibility to keep your data safe and Google would actually be in breach of the data protection act over this. Comments like yours are counter productive because it takes the responsibility away from the company holding, handling and leaking the data and putting it on the user.
Two step authentication, limiting account access, etc are not opt-ins those are defaults.
Of course, if you're using these Google services you're already putting your personal data in the hands of the largest advertising company on the planet. Their reasons for volunteering to store your data are quite possibly not the same reasons you want to store said data. Important to bear in mind, I feel.
Stupid deliberately misleading headline
Headline should read ... "Malicious apps can access all of your data" Hardly anything new there, just a slightly different attack vector, still requiring the user to be the kind of drooling imbecile who likely has his full credit card details tattooed on his face.
Re: Stupid deliberately misleading headline
Got to make life easier for the NSA.
But its so darn convenient!
Convenience is the rope they give you to hang yourself with. (Which is likely your point anyway!)
Foil hat off.
I'd trust Apple any day to store my details / data over Google - Google give you all this stuff for free in return for logging your usage, mining your data and using it to push ads etc.
I wish someone would produce an Android phone that didn't have all the Google stuff in it.
I only ever use Google for search and occasional mapping stuff. I simply do not trust Gmail, or GCloud (or whatever they call it) or GSpy. Unfortunately, Android doesn't seem to get this and assumes you're happy to hand over your entire life to Google. No different to Apple, of course, but that doesn't make it right.
There are plenty of ROMs you can get without GApps installed. If you want to add a new app, you have to do it the hard way, but not having the Google stuff is fairly straightforward if you're happy to flash a ROM.
Or, get a Chinese No-Name phone that isn't compatible with the "Play" store. Definitely a few of those around as well.
So if Android is so damn insecure...
How comes there's been no major breach / scandal / mainstream news story?
What is it 50% of new smartphones are Android? I've never heard of anyone actually having a problem with it... out of all the people I know with Android.
Genuine question, every week something new yet its all hypothetical?
I was just laying in wait for the HTC ONE MAX or Galaxy Note 3 until I saw this. I guess it's back to the safety of another iPhone, with iOS 7 and Activation Lock...
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft refuses to confirm 'Windows 9' unzip lip slip
- The Register to boldly go where no Vulture has gone before: The WEEKEND
- Netflix swallows yet another bitter pill, inks peering deal with TWC