Results 1 to 16 of 16
  1. wicketr's Avatar
    Posts
    232 Posts
    Global Posts
    249 Global Posts
       #1  
    Is anyone else wary about plugging in their google email and password to these homebrew applications (gDial Pro, dkGoogleVoice) with them being homebrew and closed source? They could easily be logging/forwarding your login info and reading your email, voicemail, documents, pictures, etc.

    Is anyone at PreCentral verifying that these apps are on the up-and-up? I guess I'm wary of any homebrew app that asks for non-homebrew user names and passwords.
  2. #2  
    Interesting.. This is another reason why an official store will be great.
  3. #3  
    its fairly easy to log into the PRE via putty or WINSCP and examine the code once you have all the proper tools installed. if their was code in the homebrew that was a security issue i'm sure it would be found with the swiftness.
  4. MikeDubC's Avatar
    Posts
    55 Posts
    Global Posts
    200 Global Posts
    #4  
    i too am concerned about this....hmmmm
  5. #5  
    get 7zip and decompress the ipk. then you can view the source code and see what it does if you're that worried about it
  6. #6  
    I wouldn't worry about those applications. They are built by well known forum members.

    You could run some program on your desktop computer that is a keylogger, steals passwords from IE or FF, etc. Those are also closed source.

    btw, if the source is obfuscated, 7zip will not help.
    Sprint Palm Pre - WebOS 2.1 > Sprint HTC Arrive
  7. sjjones's Avatar
    Posts
    757 Posts
    Global Posts
    789 Global Posts
    #7  
    Its really very simple , don't use them if you are that worried about it?
  8. #8  
    Quote Originally Posted by sjjones View Post
    Its really very simple , don't use them if you are that worried about it?
    +1

    I mean... who knows? People at Palm may be reading all your email. I guess stop using your Pre?
  9. #9  
    Quote Originally Posted by mrjcarter View Post
    +1

    I mean... who knows? People at Palm may be reading all your email. I guess stop using your Pre?
    Yah because a random forum poster creating an app is exactly the same thing as a mutli billion dollar company and its products.

    Its a valid concern, one that you can avoid by not using the app and waiting for the app catalog, its not a store and not expected to be a store, to actually get something useful in it.
  10. #10  
    Quote Originally Posted by sjjones View Post
    Its really very simple , don't use them if you are that worried about it?
    +1

    I personally don't believe the evil stuff is happening, but then again i haven't used the apps till they're available from the app store. i've actually started working on one of my own that i doubt i'll release to the world.
  11. #11  
    Quote Originally Posted by Aridon View Post
    Yah because a random forum poster creating an app is exactly the same thing as a mutli billion dollar company and its products.

    Its a valid concern, one that you can avoid by not using the app and waiting for the app catalog, its not a store and not expected to be a store, to actually get something useful in it.
    Yah like there aren't any "bad" people working in multi billion dollar companies.
    I never said the chances of something happening were the same, but the chance is there nonetheless.
  12. wicketr's Avatar
    Posts
    232 Posts
    Global Posts
    249 Global Posts
       #12  
    I haven't used the program and I'm not sure if I will. I just find it odd that people are freely giving their google login information to another vendor/random person without any concerns about the security of it.

    What's next? An application from Joe Shmo Homebrewer to check your bank statements that asks for your login information to those institutions? Would you give some application that information?

    Essentially, how well do you trust these people and where does your trust stop? Somewhere after email credentials and before bank credentials?
    Last edited by wicketr; 08/07/2009 at 10:13 AM.
  13. #13  
    I'd say that the chances are small, and even though the code is "closed", it's not obfuscated. As was mentioned, you could examine the code and check for such things. One of the advantages of the open source community (and it applies here, since the code isn't obfuscated) is that there are lots of "QC auditors" out there. Lots of hobbyists that understand programming are looking at the code.

    As far as waiting for the Apps Catalogs, does anyone here really believe that a team at Palm is going to go through every line of code on the submitted Apps to ensure that there is nothing malicious in them? I don't think so.

    This is a broader security issue than just homebrew apps for Google Voice. This is a problem for any programs released for PDA (and really, even for computers in general). When you install software on these PDAs, you don't know what they're going to do. The "assurance" from well-known publishing houses is the fact that they could get sued if they released something that was malicious, thus they do their own internal code checking.

    You don't have that with apps written by individuals or unknown companies.

    Things like this is exactly why IT departments have (and sometimes require) advanced security capabilities - so they can control what goes on a device, and ensure that only known programs make it there.
  14. #14  
    Quote Originally Posted by wicketr View Post
    I haven't used the program and I'm not sure if I will. I just find it odd that people are freely giving their google login information to another vendor/random person without any concerns about the security of it.

    What's next? An application from Joe Shmo Homebrewer to check your bank statements that asks for your login information to those institutions? Would you give some application that information?

    Essentially, how well do you trust these people?
    As I alluded to in my post right above this, exposure like this exists with just about any software. Are you sure that the really cool public domain game that you downloaded to your PC isn't logging keystrokes and sending everything you type to some geek living in his mother's basement?

    Or how about the web page that you just visited, how sure are you that it didn't install code that's now tracking where you go, so it "knows" what advertising to bombard you with.

    I'm not saying that we should all just not worry about any of this stuff, or that we should worry exessively. Some caution is definitely prudent.

    In this case though, these dialers are pretty straightforward. If there was something like this going on with the code, I'm sure we would have heard about it by now.
  15. wicketr's Avatar
    Posts
    232 Posts
    Global Posts
    249 Global Posts
       #15  
    In general I would hope Palm created the Pre so that a fart app couldn't steal information from another application (like login credentials). My concern with the two Google Talk applications is that they ask for your Google login information in their application. Granted, it's understandable why they'd need it, but they could be using it for other things.

    As for the QC auditors, I'm wondering who's actually doing it? Is everyone saying "someone else is doing it" and in reality no one is doing it?

    I would assume that Palm will have a security team that checks certain applications that ask for username and passwords from third party sites. They don't want to be caught hosting an application that asks for user's CITIBank credit card information and then goes about stealing all your money.
  16. #16  
    In my opinion, there is security in the incentives.

    Consider the incentives that a homebrew developer has. Stealing your email login is not really all that lucrative. What can he get from looking at your email or going through your google voicemails? Is there really anything that's going to make him money there? Granted, a large number of email logins might be valuable on the black market for nefarious purposes, but it would probably require larger numbers than he's going to get off the Pre community. Keep in mind, it would take a little bit of effort to steal your password and not get caught.

    He has a lot more incentive to simply produce a good application that might eventually land in the app catalog, where he actually does stand a chance to make some money off of it. So his reputation as a developer and the quality of his application are easier paths to money.

    Now, if we get into a situation where there are 8,000 google voice apps, then it would be hard for him to make money in the app catalog, so maybe the incentive is different in that case. But we're a long, long way from that.
    Palm III-->Handspring Visor-->Sony Clie PEG-NR70-->no PDA -->Palm Treo 755p-->Palm Pre-->HP Veer

Posting Permissions