4

When installing Postman (on Mac), you can log on using your Google account. For this, the logon view from Google is shown in a window (A kind of Webview I assume).

How can I be sure this is the real thing and the developers did not just build an own webpage that looks exactly the same? Since there is no browser bar or anything like that, I can't verify the URL.

Now I was only sure of it after typing my username and password, when Google sent me an email notifying me of the new login.

PS: This is certainly not an attack at Postman, it is just what triggered my question.

Wim Deblauwe
  • 549
  • 1
  • 4
  • 7
  • I think you need to trust the software that it doesn't abuse your credentials. – Lukas Jun 15 '16 at 14:57
  • @Wim Deblauwe I think You can confirm whether its a fetched from a URL or not using Sniffing tools like Wireshark.. Right? – Sravan Jun 15 '16 at 15:26
  • @Sravan: Like CristianTM already mentioned in his answer, even then you cannot be sure that they do a GET on the real URL, but display something else in the view at the same time. – Wim Deblauwe Jun 15 '16 at 15:28

1 Answers1

3

You just can´t.

You could monitor internet traffic and be sure it is loading the google page, but still not be sure if it is showing the one they loaded. And also it could be the real page and still it is keylogging what you type.

So:

1) Only type this kind of info on apps you trust;

2) Apps should probably do not require you to trust them, by letting you open the login window in any broswer you want. It is possible to do it, but probably less usable (and most users don´t care about security as much as they care about usability). Personally I would prefer apps offer that to me at least as an option, if not the default mode.

CristianTM
  • 2,532
  • 15
  • 20