(1) Cell phone app security and (2) Shared-site login security

[nate901]

Two things are really bugging me these days in regards to information privacy and security and I thought I'd bring them up here to get some feedback on them. First if all is the issue of these cell phone apps. When you read the user and privacy agreements you have to agree to download it freaks me out what kind of access a lot of the apps want to have to areas of your phone data such as being able to monitor what phone numbers you call, your personal contacts, email and other info. Facebook is one of the worst in regards to this. I'm really considering removing their app from my phone because of all the stuff they want to access on my phone. People are so trusting of all the apps and I have to watch myself as well. I had some cool audio apps on my phone developed by some Russian guys and someone alerted in a review about the info access users were agreeing to for those apps and I uninstalled them. Sorry for being pre-judgmental but you hear so much stuff about Russians trying to crack software and stuff. I refuse to do any banking on my phone yet because of this app accessibility stuff. I realize this is going on in a lot of countries including America as well of course. Anyway; I expect any day now to see in the news about some big security leak in a cell phone service threatening a bunch of people's bank accounts. Maybe it already happened and I just don't know about it. They just announced a big bank industry hack in Korea yesterday. Scary stuff.

The second thing that's bugging me is how so many sites have the shared login thing now where they allow you to login using a Facebook, Yahoo or Google account - those being some of the most common ones I see. Am I being too paranoid about not trusting this process? It seems to me it would be way too easy for some ill-meaning person at these sites to grab my login info for the other services and hijack my account for the service I logged in under. I don't trust that stuff at all and not even sure what the correct term is for the process so feel free to educate me on that also.
Thanks in advance for your feedback and comments.

 

[Noway2]

For what its worth, I agree with you on both accounts. I see all these apps that everyone is installing as being promiscuous and I avoid them. I consider this to be the next level of the Windows mentality of downloading unsigned binary executable code from unknown sources. Add to this the culture of putting trust in unknown 'cloud' sources and I think we have a pool ripe for infection. There are a few apps that I have used, but I've done so cautiously. I never use a phone for banking or other important things and I do not keep critical information stored on it. In fact, I have started to consider getting rid of the thing, if for no other reason than I don't want to be tracked and would rather go 'off grid' so to speak.

I also don't like the single sign on concept, though in some ways I think it could help improve security. It is a problem in that every site almost wants a dedicated user name and authentication. Of course this makes it easy to track you for marketing purposes. With too many passwords it becomes problematic to manage them and consequently having a centralized entity that allows you to use a stronger code phrase could be beneficial. On the flip side, the exposure window for a compromise is greater. I personally do not have a Farsebook, or Google+ account and use distinct passwords for sites. My management method consists of a master document that has been encrypted which limits the number of passwords I need to remember while allowing me to use things like 20+ character passwords of unintelligible numbers, letters, and symbols. Other places I will use a long phrase of several words.