fognl

Get off my lawn.

Thursday, January 15, 2009

The Great Google Credentials Controversy

So, I just released Greed, an RSS reader application that integrates with Google Reader. So far, it seems to be getting some decent reviews. I've gotten a lot of good feedback in the form of ideas from people, and most of them are things I was either working on already, or will be soon.

One big item: Google Credentials. In order to connect to Google Reader, Greed has to log into Google Reader. In order to do that, it needs the user's Google credentials. The best way to do this would obviously be to take the pre-existing Google credentials off of the phone (they're already there, somewhere), and use those to log into Google Reader. Problem is, there's nothing I can find anywhere in the API for retrieving those credentials. I've scoured the Android source code looking for clues, I've looked through the API documentation, and I've looked in the Google Android Developer's Group, and found precisely ...nothing.

Google says they're going to release an API at some point that allows developers to get to these credentials, but they haven't yet. They're keeping kind of quiet about it. For good reason, too, I think.

I've seen a lot of comments in the Market saying things like "No way am I giving you my Google credentials." I think that's fair... I'm not here to make people do things they have a moral objection to. If there was some other way to log you into Google Reader, I'd prefer to be doing that. I wonder, though: What is the difference between me getting your credentials from you directly, and me getting your credentials from the hidden place (wherever it is) on your phone? Either way, I would have them. Not only me, but the author of any other application you install. At least this way, you know I need them for some good reason.

As soon as I have a way to get them in a more politically-correct manner, I will do so. Until then, here are the choices:

  • Use Greed, and understand that your credentials are kept as safe and secure as it's possible to keep them; or
  • Don't use Greed.
Having laid it out so explicitly, I wonder if I'll see some sort of huge drop in sales volume now.

3 Comments:

  • At 9:59 AM , Blogger Tom Scheinfeldt said...

    I guess my question would be whether my credentials are stored locally on the phone or whether they're sent somehow to you. If it's only the former, I don't really see how having my credentials in two places on my phone is that much more of a problem than having my credentials in one (the secret, hidden) place on my phone.

    Thanks for the application.

     
  • At 10:41 AM , Blogger Kelly said...

    Tom,

    They're only stored on the phone, in a location inaccessible to any application but Greed. They're definitely not sent to me or anyone else (except Google Reader). I have no use for them. :-)

     
  • At 7:27 PM , Blogger yacoob said...

    I'd be guessing that Google API would work this way:
    * application asks for authorization token
    * phone performs authentication using stored credentials, and gets the token from server
    * application gets the token, and uses it to access some Google resource

    Provided that token is only valid for specific service(s), this should be a bit more secure. Tokens might also time out after some time. Of course you'd still need to trust author if his app asks for token for gmail... this app would be able to do stuff to your mail, no doubt :) But if it'd work this way, it would be better than inputting the credentials directly in the app. Something a bit like Kerberos :)

     

Post a Comment

Subscribe to Post Comments [Atom]

<< Home