Oauth
Latest
Google blocks G Suite access for apps that only rely on usernames and passwords
A couple of years ago, Google starting warning users that certain third-party apps that access its business-oriented G Suite might not be secure. Now, it's taking that to the next level by blocking any "less secure apps (LSAs)" that try to access G Suite with only a username and password. Going forward, Google will only support the much more secure OAuth system, which it first adopted for Gmail way back in 2010.
Facebook stops asking new users for email passwords
Facebook has halted a sketchy practice of asking some new users for their outside email credentials in order to verify their accounts. After a Twitter user on Sunday shared a screenshot of Facebook asking them for the password to their email, the social media giant faced intense criticism from security professionals. A spokesman for Facebook told The Daily Beast that it would no longer engage in this practice.
Beware phishing emails posing as Google Docs invites (updated)
If you received an out-of-the-blue email purporting to share a Google Docs file, you're not alone -- and whatever you do, don't click the link inside. Many people online, including more than a few journalists, have been bombarded with phishing emails (currently from a mailinator.com account) that try to trick you into opening a fake Google Docs link. If you click through and grant a bogus "Google Docs" app access to your Google account, the perpetrators can get into your email. And of course, havoc follows after that -- the app spams email to everyone you've ever messaged, and bypasses Google's usual login alerts (including for two-factor authentication).
Popular login services have a security hole, but Facebook and Microsoft can't fix it
The recent Heartbleed scare caused a huge stir, even though it was effectively fixed before it even happened. There are other sorts of security holes, however, which can't be plugged so readily, and which affected companies therefore have less incentive to publicize. A researcher in Singapore, Wang Jing, claims to have uncovered a potentially serious example of this involving the widely-used login services OAuth and OpenID. He says that he's tried to alert major web services that rely on these platforms, including Facebook, Microsoft and Google, but they're refusing to take responsibility for the issue.
Outlook.com gains IMAP support, integrates with third-party services like TripIt
Hello, compatibility! Microsoft's obviously a major proponent of Exchange ActiveSync (EAS), but if you've been using electronic mail for any length of time, you're probably aware that IMAP is a darn near universal protocol. Now, Microsoft is adding IMAP (and OAuth) support to Outlook.com. In addition to this being a lovely sign of Microsoft not shunning rival standards, it also opens up a ton of new possibilities. For one, applications that haven't supported EAS -- programs such as Mac Mail and the Mac edition of Mozilla Thunderbird -- can now host Outlook.com accounts. Moreover, IMAP gives devs the ability to build third-party clients and services that are useful to end-users, and Microsoft's announcing the first set of those as well. TripIt, Sift, Slice, motley*bunch, Unroll.me, OtherInbox, and Context.IO have taken advantage of Outlook.com's new IMAP capability and are rolling out updates today that allow their apps and services to integrate with your Outlook.com email. If you'd like for your own app to follow suit, Microsoft's providing a bit of instruction right here.
Twitter accounts compromised by third-party attack: Here's what you can do
It's become a regular occurrence that a site's credentials become compromised. (At least it's a nice change from Big NSA brother, I suppose. Big NSA brother is ALWAYS watching you.) Now it is Twitter's turn, apparently courtesy of a third-party app. A Twitter spokesperson confirmed to the Guardian that the site itself was not directly attacked. GigaOM writes that a hacker published access credentials for thousands of Twitter accounts. Compromised details include Twitter user IDs and OAuth tokens. GigaOM recommends revoking and re-granting access to any third-party apps connected to your account. To do this, point your browser to https://twitter.com/settings/applications. There, you'll find a list of all applications -- web and iOS -- attached to your account. For most apps, you'll simply click the Revoke access button. You will need to sign in from those apps to use them again. For iOS apps, you'll find details about revoking access at this link. Thanks Laurent P.
Google Play services arrives for Android 2.2 and above, the eager can download directly
Google recently announced to developers the availability of a new "Services" platform, to allow better integration of its core products in 3rd party apps. The update comes in the form of an APK that will automatically find its way to handsets with Android 2.2 and above. But, for the impatient amongst you, it's available for download directly from the Play store now. This first release centers around better integration for Google+ (for account sign-in / Plus buttons etc) and providing OAuth 2.0 functionality, but it's expected that deeper functionality with the Google universe will take root soon. Most handily, as Mountain View decided to deliver this in the form of an app / APK, there's no pesky waiting around for networks to get it to you. Read up on the benefits via the more coverage links, or head to the source to make sure you're on-board.
Microsoft adds open standard support to Messenger, third-party clients now welcome
Windows Live Messenger may not be as popular as it used to be, but it's still accessed by 300 million users, and Microsoft is now hoping to grow that by making it a little more open. The service now supports XMPP and OAuth 2.0, paving the way for other chat software and services to connect more easily (some already do, but by using unofficial methods). XMPP is a messaging protocol (previously known as Jabber and used by Google Talk) and OAuth 2.0 is an open standard for authorization that both Google and Microsoft have stepped out with early support for. Maybe by opening Messenger up a bit, Microsoft is trying to avoid what happened with ICQ.
Microsoft delivers Live integration for Android, iOS, and Windows Phone devs
Can't seem to part from that Hotmail account you established back in '96? Good news, because Microsoft is providing app developers with the necessary tools to hook into your Windows Live account -- and it's bringing Messenger and SkyDrive along for the ride. Now, publishers of Windows Phone, iOS, and Android applications will be able to empower you, the end user, to access your contacts, photos, and other personal bits from your dominant smartphone of choice. According to Redmond, consumers should expect a seamless experience when signing in and granting application privileges, which will be required only once, as third-party apps will remain authorized for Live access until its privileges are specifically revoked. For developers, Microsoft is providing standardized sample code, and software can be registered with Microsoft by simply providing the name and language of the app. It's an unholy matrimony for sure, but we'll gladly crash the reception.
Twitterrific 3 for the iPad: change, tough love, and better
Here's a good sign that you've made some pretty significant changes to your application: three different people from the company write three different posts about the new design. That's what the folks from Iconfactory did about Twitterrific 3. David Lanham wrote about Redesigning Twitterrific, not just the timeline, but also the settings, contacts, filtering, and more to "optimize the user experience." Gedeon Maheux wrote about Twitterrific's Tough Love, and realizing that Twitterrific had gotten out of hand, along with the steps they took to make it better rather than just pile more on top of it. Craig Hockenberry wrote about not designing for early adopters, whose expectations may limit making something better by expecting you to simply build on what you had before. I was an early adopter of Twitterrific on the Mac, and still compare all other applications to Twitterrific when I am using them. When I first heard about the changes in Twitterrific 3, I was sure I was going to hate them. After having used it for awhile, I still think Twitterrific is my favorite iPad app. I've been using it since I bought my iPad back in mid-June, and although I've tried some of the others, I keep coming back to Twitterrific. Many others have just started using Twitterrific 3 for the iPhone or iPad because Twitter turned off "basic authorization" logins. All Twitter applications now must use Twitter's (severely, thoroughly flawed) OAuth system for logging in. Read on for my thoughts on the app, as well as what TUAW heard directly from Iconfactory about the future of the app.
HTC Peep cooked, served a l'orange by Twitter's new authentication scheme (update: fixed?)
It's been known for some time that Twitter would be moving away from basic authentication to OAuth for third-party apps; in fact, they'd already officially pushed back the drop-dead switchover date once to mid-August before finally pulling the plug this week. Be that as it may, it makes sense that a bunch of lesser-known, less-maintained apps would fall by the wayside once the old security mechanism got shut down -- but HTC's Peep? Really? Sure enough, we've been able to confirm on our own Desire that the Twitter app HTC bundles with its Sense UI for Android is no longer working this morning, giving users an "incorrect username or password" error when they try to connect. We're not sure if they'll be able to fix this with a Market update across the board or if it'll take a bunch of firmware updates to get everyone back on the up and up, but either way, something tells us Twitter isn't going to flip the switch back on for these guys. Update: We can't say for certain whether Peep's working properly now, a few days later, but our Froyo-filled Droid Incredible (and those of several tipsters) seem to be displaying tweets just fine, and Twitter itself reports that it recently fixed an issue with Peep, Moto Blur and a variety of other third-party Twitter clients. [Thanks to everyone who sent this in]
Gmail enables OAuth, Syphir for iPhone already using it
Google has introduced OAuth authorization for Gmail, meaning that approved applications can access your Gmail account without you giving them access to your Gmail username and password. OAuth has been used as Flickr and Twitter for some time, but is a new development for Google. Previously, if you wanted to get push notifications on your iPhone when you received a message at Gmail, you had two options: trust a third-party application with your username and password, or automatically forward a copy of all of your email to a different email address and trust that they would not save a copy of your email. As you can imagine, neither of those made security-conscious users very comfortable. There is already an iPhone app available which uses OAuth, SmartPush ($2.99) by Syphir promises to give you finer control over notifications from Gmail on your iPhone. We hope to have a review of SmartPush here on TUAW in the near future, so stay tuned for that.
