18

I've installed an Electron app "Google Play Music Desktop Player" which presents a Google login screen:

Login screen that appears to be from Google

This is in a standalone window with no URL displayed. Although I have no reason not to trust this app, how can I be sure that this login screen is genuine?

I'm running Chrome on Fedora.

Andrew M.
  • 283
  • 1
  • 6
  • 1
    I would run WireShark to analyze your network traffic, then "login" with fake credentials and see where the request is being sent – nd510 Oct 31 '16 at 00:07
  • 1
    Does pressing F12 button bring out the developer tools? If it does, then you can check the web traffic. Without an address bar, you are at the programmers mercy – JOW Oct 31 '16 at 01:19
  • 5
    This is exactly the type of question you SHOULD be asking, and because people become accustomed to not verifying what page they are on, it makes it easier for attackers to perform attacks as described here: https://docs.google.com/document/d/1L0AwThspt8yeFdQrpGt7wDm1e-wDzEzQK4BeN4pG16w/edit?usp=sharing – Johan Oct 31 '16 at 08:21

1 Answers1

6

Here are some ways I can think of but if someone tried hard enough I don't think there would be a way to stop him.

Check a fake email - Google's login will only display a password input if the username exists so by entering any email you know does not exists (Ex: ajksjdlalsjdlkasldkldjalk@gmail.com) if the password box still shows up then it is not a genuine Google login page.

Try viewing the source - Since the app is pretty much a browser you might be able to view the source. Try right click and view source or F12.

Packet sniffer - Download a packet sniffer such as Wire Shark and check where the traffic is coming from. Is it from Google or from another source?

These are only a few examples but sadly there is no solid way I can think of. Be cautious and pay attention to anything abnormal.

Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
  • 1
    The one problem with the fake email check is that a malicious application could inject JavaScript (or do something similar) to retrieve data without interfering, thus passing your test – Nick Mertin Nov 02 '16 at 02:38
  • @NicholasMertin You are correct, although it is a type of test :) – Bubble Hacker Nov 02 '16 at 10:29
  • Thank you @BubbleHacker. The app doesn't allow viewing the source nor can I open Dev Tools. It did pass the (not foolproof) fake email test and Wireshark shows traffic to googleusercontent.com so I think we're ok. I found a [page](https://dev.fitbit.com/docs/oauth2/) warning developers not to hide the URL as this app does and I've reported this as a security issue on the app's GitHub site. – Andrew M. Nov 04 '16 at 02:57