Don’t Just “Allow” Permissions for Cloud Apps

You have to think before you click “Allow” and grant permission for your Facebook, Twitter, iPad, iPhone, Android or any other apps. If you “Allow” without at least some consideration, it is like you are allowing someone to knock on your front door at home and letting them come in to go through your drawers, open your mail, poke through your address book, look at your private photos, and turn on your computer to browse through your history and files.

This morning I received an email from a PR person pimping the new Wall Street Journal (WSJ) “social” app and encouraging me to watch their “film”. Thinking, “Hey…it’s the Wall Street Journal after all” I went to take a peek at the app, thinking it might be a new iPad or iPhone app. 

It was a Facebook app. Sigh.

While many are all excited about the Facebook f8 Developers Conference starting today and articles like this one on Mashable that believes we should Prepare Yourselves: Facebook to be Profoundly Changed are coming out in droves, I still have an extremely high degree of resistance to arbitrarily opening up my accounts to any organization, even Dow Jones (parent of the WSJ). 

I don’t think so.

Believe me, I’m no Luddite. In fact, as part of my work I’m constantly trolling the app space, signing up for dozens per month so as to try them out, and many I stick with for the long term (e.g., Google, LinkedIn, Twitter, Quora, Delicious, et al). It’s just that I cannot, in good conscience, willingly grant permission to all of these apps, especially now that seemingly every app (especially those running on smartphones and tablets) ask for interconnected permissions.

Many provide these connections since they’re easy for the user. Take an iPhone pic with Instagram and tweet it and send the photo to Flickr. That’s convenient and powerful and I don’t worry much about Instagram. But do I really know if they can “see” my username/password in transit? Nope. It’s that way with so many other apps too.

Same thing with Google Chrome extensions. I’m often blown away when I see how many developers, many of whom are outside the U.S., deliver NPAPI extensions. Google says on that page that developers should strongly consider these security considerations with NPAPI:

Including an NPAPI plugin in your extension is dangerous because plugins have unrestricted access to the local machine. If your plugin contains a vulnerability, an attacker might be able to exploit that vulnerability to install malicious software on the user’s machine. Instead, avoid including an NPAPI plugin whenever possible.

Many provide these connections since they’re easy for the user. Take an iPhone pic with Instagram and tweet it and send the photo to Flickr. That’s convenient and powerful and I don’t worry much about Instagram. But do I really know if they can “see” my username/password in transit? Nope. It’s that way with so many other apps as well which is why I at least stop and think before I grant any sort of permission to an app.