Google account and privacy concerns
December 7, 2010 18 Comments
How much easier it would be if we would be able to access information without sharing anything. We would have much less privacy concerns. And we would use any site and any application knowing that nothing will be unveiled without our permission.
Talkatone is a social application and uses google credentials to let you login, pull your friends, make calls and chats. And many of our users are concerned how we use their google username and password.
We want to deliver a clear message which should not confuse, but help to understand details.
In short, we DO NOT collect any usernames or passwords on our servers and we DO NOT share them from Talkatone app. They only used to communicate with Google servers over secured connection.
First of all there is Apple Application EULA. It clearly says:
b. Consent to Use of Data: You agree that Application Provider may collect and use technical data and related information, including but not limited to technical information about Your device, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to You (if any) related to the Licensed Application. Application Provider may use this information, as long as it is in a form that does not personally identify You, to improve its products or to provide services or technologies to You.
According to this chapter in EULA our application MUST NOT collect anything which can help us to identify users and clearly usernames/password are not allowed. We DO comply with Apple’s terms. Otherwise our application will not be approved and will be removed from the Apple store. We established very open communication with Apple app review team and always ask for their advice when something is not clear.
Second, Google Talk APIs require the client to login directly to their servers using XMPP protocol. Here’s how the how flow works:
- Talkatone establishes insecure connection to talk.google.com
- Google Server immediately asks to upgrade connection to TLSv1 (aka SSLv4)
- Talkatone upgrades connection to TLS as demanded by Google.
- Talkatone transmit your username/password directly to Google for authentication over secured connection.
- Google accepts or rejects the password.
Third, in order to make subsequent calls to google both username and password are stored together locally on your iPhone/iPod with the rest of the settings. iOS guarantees that no other app can access settings (e.g. no app can read/write files outside of installation directory). Please be careful with “jailbroken” devices, as app installed from “Cydia” may have “root” permissions to read everything.
Please note, at this time Google Talk does not offer OAuth authentication method, it requires plain text username/password over secure connection. You may experience the same behavior with native iOS email app when you setup your GMail account.
Keep in mind that whenever you use Talkatone your username/password pair is never sent open! Also whenever possible communication between Talkatone and Google servers is secured and use TLSv1 (aka SSLv4). Ex. upcoming Talkatone v0.9.3 will support retrieving Google Voice history which will establish HTTPS connection to Google Voice server and will perform authentication over it using username/password already stored in your device.
If you still have concerns please DO contact our support. We’ll be happy to answer your questions.
Update: As of v1.2 we do offer optional