Why something unacceptable in, let say, websites is ok enough in native apps world?
I don’t even want to touch the topic of ridiculously elevated permissions (recently QR code scanners wanted my phone number, read text messages and access to my location).
Let’s get some other example: Cloud Magic. I wanted to check this nice looking mail client. It integrates with gmail so I wanted to give it a try and see if it fits me. Unfortunately it doesn’t. And I didn’t even started to use it.
I somehow swallowed permissions it requested (Device & App history: Allows the app to view (…) which apps are running, browsing history and bookmarks – Gulp!).
And next I could see nice looking first screen:
So in this app I was presented something very similar to google services mobile log-in form. Looks legit. Looks! And only looks (even beginner phishing adept knows how to do that). I can’t check address to which this form data is going. So basically what Cloud Magic want’s me to do is to provide my google login and password. And in the same time I have my google account added in to my system, so CM could just ask me to allow them to use it.
How is this even remotely ok? This is phishing. I’m in the third party app and it asks me for other service credentials pretending to be this other service legit form.
WTF Google, WTF Android and WTF CloudMagic?