search

ninenizil / android2cloud

Automatically exported from code.google.com/p/android2cloud
0 stars 0 forks source link

Don't ask for Google passwords #4

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
It is bad security practice to ask for passwords when they are not needed. 

A better solution is just to pull a google account email address from the 
device and associate that with the google account connected to the website.

Original issue reported on code.google.com by 4braham on 12 Jul 2010 at 10:21

GoogleCodeExporter commented 8 years ago 
Hi 4braham, thanks for taking the time to file a bug.

In this case, I'm not entirely sure it's a bug. I debated between using OAuth 
and the stored accounts to authenticate the application for a while. In the 
end, I chose OAuth for a few reasons:

1. It doesn't limit the protocol to Android devices.
2. It is backwards compatible all the way to cupcake.
3. Users don't need to add an account to their entire phone just to use it for 
the app.

While I hear your security concerns, I never actually have access to any 
passwords. They're all entered at http://www.google.com/accounts/, and (as I 
said) the application uses OAuth to authenticate itself, so I never need any 
passwords.

If you still have security concerns, please feel free to respond to this 
ticket, but I'm going to go ahead and mark it as "WontFix" for now. I'll be 
more than happy to reopen the issue if you have some further concerns.

Original comment by foran.pa...@gmail.com on 13 Jul 2010 at 12:40

GoogleCodeExporter commented 8 years ago 
In that case I would recommend using OAuth 1.0a with a custom protocol callback 
like android2cloud://callback. That way you can direct the users to 
authenticate with Google in the browser instead of a webview within 
android2cloud. It will have the same user experience and no users can feel safe 
they aren't entering their Google password within an application they just 
downloaded.

Original comment by 4braham on 13 Jul 2010 at 5:13

GoogleCodeExporter commented 8 years ago 
An interesting point. I've experimented with it, and found that the back button 
functions oddly when that particular combination is used.

This is using OAuth 1.0a, and currently calls back to the designated server's 
/callback/ URL, then grabs that URL.

I'll experiment some more with launching a browser Intent, but can't make any 
promises.

Original comment by foran.pa...@gmail.com on 13 Jul 2010 at 5:17

GoogleCodeExporter commented 8 years ago

Original comment by foran.pa...@gmail.com on 13 Jul 2010 at 5:19

GoogleCodeExporter commented 8 years ago 
Hi,
From a non-techy point of view I'd like to share my experiment with the chrome 
extension's install.

Login leads me to Google's warning: " The site hkelgkihphkegiaagbcgglfidabmgkgp 
is requesting access to your Google Account... ". I can't think of a more 
untrustful website's name !

Then Google push the warning further : " This website has not registered with 
Google to establish a secure connection for authorization requests. We 
recommend that you deny access... " !

I'd love to give android2cloud a try on my N1 but I'm not convinced by this 
account access webpage...   :-(

Original comment by jeremy.ngl on 2 Aug 2010 at 11:14

GoogleCodeExporter commented 8 years ago 
Thanks for your input. I'll try and fix that stuff in the next update. There 
are some issues, as App Engine's OAuth implementation is still "experimental", 
but I'll do my best to make everything more trustworthy.

Original comment by foran.pa...@gmail.com on 3 Aug 2010 at 1:06

GoogleCodeExporter commented 8 years ago 
This has come up enough that it warrants a fix. I'll try to include one in the 
next Android build.

Original comment by foran.pa...@gmail.com on 7 Sep 2010 at 6:49

GoogleCodeExporter commented 8 years ago 
This is actually impractical and fragile with App Engine's OAuth, 
unfortunately. App Engine only allows us to redirect to http/https protocols 
for the callback. As such, we're deprecating OAuth support after version 2.1 
and are moving to the Accounts API for versions 2.2+

More information here: 
http://blog.android2cloud.org/2011/07/you-cant-teach-old-dog-new-tricks.html

Original comment by foran.pa...@gmail.com on 6 Aug 2011 at 6:16