The security and privacy risks of third party apps

With the blogs in this series I want to reach not only my typical audience, security professionals, but especially less security aware people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!

If you followed me along this blog series, you'll now use strong passwords for all your online accounts with multi-factor authentication configured properly.

Awesome!

But there's still something else to take into account. When you give third party apps or websites access to your user accounts you can weaken your security and privacy.

What are the risks?

Buffer is an app that can post on social media platforms like Facebook or Twitter on your behalf. To do so you must give Buffer access to your social media accounts. In 2013 Buffer got hacked and as a result spam was spread via people's Twitter and Facebook accounts.

Another similar incident happened this year when the Metropolitan Police of London's Twitter account was posting weird messages. The reason was a hacked third party account of a service called "MyNewsDesk".

But even worse things could happen. Third party apps can potentially:

  • Copy and store your data on their servers and the data could be stolen from there.
  • Share your data with other parties.
  • Give you a hard time to delete your data. It might even not be possible at all. For more info about deleting accounts see this post.
  • Change their behavior without notifying you.

It should be clear that before you give an app access to an account, it's important to understand the permissions it requests and what it does with the data it can access. Easier said than done, no one ever reads the terms of service, right? This website summarizes them for a lot of accounts and might be helpful. If you doubt about the security and privacy of a particular app just don't give it access to your account.

In the video in the next session you'll see examples of different kind of permissions third party apps can have to a Google account.

Remove risky and unused third party apps

In this video you see how you can manage third party apps for your Google Account. As a general best practice, if you see apps that have excessive permissions and might be risky remove them and possibly search for an alternative. Also remove redundant third party apps. Like explained in an earlier post, removing unnecessary software reduces risk.

For Twitter you can do the same.

In general the third pary app permissions can be managed in the security settings of your accounts, but here are some direct links for some well known applications: Microsoft, Facebook, Instagram, LinkedIn.

What to do when a third party app gets hacked

Let's take the example of Buffer having access to your Twitter account. If you learn that your Buffer account is hacked, immediately change your Buffer password. Also delete the Buffer app from your Twitter account. Readd it afterwards if you still want to use it.

Conclusion

To further improve your online security check for all your accounts which third party apps have access to them. Remove the redundant ones and the ones with excessive rights.

That's it for today's episode. Stay tuned for more tomorrow. And in the meantime, stay safe online!