How to know if I can rely on an app to keep my password?

How can I know if an app of an unknown author (like gTasks) is reliable for me to give my mail password to use it?


Solution 1:

You have to trust the developer of the app. Period.

Besides code analysis there is no way to eliminate the possibility that an app does send your password somewhere.

And even tools like Little Snitch won't help you if the app is allowed to send emails from your account. If you send an email to somebody it would just use the established connection to afterwards send another email with your password. Since the connection is encrypted you can't see what the app is doing. And because the whole purpose of the app is sending emails the connection is not suspicious at all. Same thing is true for all apps that need access to the internet, if you enter the password to an facebook app it could just use facebook to send a private message with your password and so on.

To make it even more difficult to detect, the developer could implement it in a way that the malicious routine waits 30 days before it sends your password. And if the developer is a smart criminal (he wrote a great app so he probably is) he can detect testers who just fast forward their device date setting too.
If the developer is smart it is nearly impossible to figure such things out without looking at the code.

Entering your password somewhere is all about trust.
And with all those apps from unknown developers it's hard to figure out which app you can trust enough to give it your password.
That's the reason Twitter, among others, uses an authentication process where the app never knows your password.

Having a different password for different services helps in case you have accidentally trusted an untrustworthy developer.
But your email password is a little bit special because usually it can be used to gain access to almost all services you use.

Solution 2:

I'd do the following: use two step authentication in Google, create a password specifically for the app, and then from this page you can check the last time that certain password has been used. If it always correspond to your last gTask usage, then you should be safe.

If that's not the case, you can revoke the password from there.

Note: with this method the developer could read your mail anyway, so better be safe than sorry. However you could create a dummy account and see whether that gets hacked.

Solution 3:

Something like a Little Snitch will help you to determine if app creates any outbound connection besides obvious connection to Google servers.

It still possible for the app to just send your data to google account of rough developer but I don't have idea how to check that.

Solution 4:

If you are not sure about an application search google for reviews or at least a website. If a lot of people complain you wil know not to download the application.

In general you can't trust anyone with your details and it is best to keep them as much as possible to yourself. If you do have to give out your details, make sure you use a different password each time. It will be hard to remember all your passwords, but it also keeps your accounts such as your email or facebook safe.