25

If I have a mobile app that supports some kind of social login feature, say, to login to the app from my Facebook account, and if the app opens the Facebook login page inside the app in a mobile, is there any way to verify that I am indeed connected to the Facebook site?

instagram login

This is from an app that lets me sync Instagram profile photo with my phone contacts. I trust this app, and once I log in, I have to accept the app permissions.

The problem is that the links do not open in a standard browser, and I cannot check the URL. If someone were to create an app, add such login button, and opened a fake site to collect my password, it looks quite possible to me because I cannot see any HTTPS EV certificate information or let alone the URL of the login page.

  • as a consumer, how can I make sure that such embedded login pages are legit?
AKS
  • 714
  • 5
  • 13

2 Answers2

21

You can't, at least not until mobile OS developers stop prioritizing UX over security.

For now the best you can do is to make sure the app you're using is from a legitimate and trusted developer, and the credentials it's asking for are related to the function of the app (a photo app asking for Instagram credentials to post on it seems alright, but the same photo app asking for Spotify credentials would be more suspicious). Also you should consider that particular account compromised by the app's developer so you should't use that account for information you don't want them to see. On some sites that don't revoke OAuth tokens on password changes, a solution to prevent future unauthorized (outside of the legitimate OAuth flow) access would be to change your password. As the OAuth token would still be valid, the legitimate functionality of the app should still work but sneaky attempts to login using the harvested password would no longer be successful. Of course, this isn't bulletproof as a truly malicious app would probably have a bot running on their servers that changes your account's email and password the second you enter it, preventing you from ever accessing your account.

In the long run, the solution would be to put pressure on mobile OS developers to either stop the nonsense described in my first link or at least provide a secure, OS-controlled WebView alternative that apps can use to request credentials. That WebView should prove to the user it's indeed OS-controlled (by doing something that normal apps can't, like intercepting a home button press) and clearly display the URL that's been requested by the app so it can't attempt to display a phishing site.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • Thanks a lot. That Medium post is quite the same frustration I have. – AKS Jan 24 '16 at 20:17
  • 7
    Also enable two-factor authentication and use a unique password on every site. That way a potential password-harvester cannot use your password. – Johan Oct 10 '16 at 10:31
  • See this image - google is going to block these from April of 2017 https://i.stack.imgur.com/GdsQT.png – Tim Nov 29 '16 at 16:45
  • @Tim beautiful - can't wait to see Apple's response to this. – André Borie Nov 29 '16 at 16:51
  • @AndréBorie How will it affect them? – Tim Nov 29 '16 at 16:52
  • @Tim as described in the Medium post Apple are very much against opening a browser for authentication, so I'd love to see how they respond when Google prevents auth via embedded browsers and popular apps such as GMail stop working. – André Borie Nov 29 '16 at 17:28
  • @AndréBorie They will probably just keep being the hoity-toity UX snobs they are. If you want pretty UX, go Apple, if you want security, go Android, or do it yourself (but using strong open-source libraries). – NH. Aug 13 '17 at 23:27
6

This just happened to me. What I did is not trust it and follow these steps:

  1. Verify the connected devices in my Facebook and that I get notifications for new devices.
  2. Change my facebook password to something random my password manager gave me.
  3. Type that password in the in-app view
  4. Change my facebook password again to another thing. DO NOT log out from all devices when prompted.
  5. Review everything is in order.

That way, I know for sure I'm the only one who connected in that time and that no one has a valid Facebook password.

However, it's a PITA since the same app could ask me to confirm the identity in the future and doing these steps each time is really inconvenient.

Francisco Presencia
  • 675
  • 1
  • 6
  • 20