Skip to main content

Oh no! Alarming email from “Apple Service”:

We have detect some problem with your account apple,because was sign in from other IP.For the further informations please find the attachment file (PDF) and follow the intructions.

Not problem with my account apple!

So, Micro.blog folk: we’re planning a meetup in London. It’s scheduled to kind of coincide with one that @manton and others are having during WWDC in San José, but that’s not important, really.

What is Important is the date, time, and place: Tuesday the 5th of June, from around 6:30pm, at The Grenadier – 18 Wilton Row, Belgrave, SW1X 7NR. More details here.

So far attendance is looking a little light, so your presence is not just desired — it’s required

If you’re within striking distance of Central London, your Micro.blog community needs you.

We’re having a crazy silent, dry thunderstorm in London tonight.

Beware of Email Apps Storing Passwords

Email apps, especially ones that offer advanced services like “send later,” may be storing our usernames and passwords on their servers.

To be clear what that means: if you use Gmail, for example, you put your Google username and password into the app when you set it up. You expect the app to store them securely on your device. But some apps may also be storing that username and password — your keys to all the Google services in this example — on computers owned by the company that makes the app. Computers over which neither you nor Google has any control.

I’m not suggesting that the company I talk about below, or any other, is doing anything nefarious. They need to be able to log in to your mail server in order to send your mail later. But I hadn’t realised until now what that means, and I’m guessing neither will a lot of people. And to my mind they don’t make what they’re doing clear enough.

Worst of all, having passwords stored on unknown servers — at the very least, that’s worrying.

Background

On episode194 of the Connected podcast, Myke Hurley and Federico Viticci were reviewing the latest version of the iOS (and Mac) app Spark. It’s a fine email app, which I was using on my iPhone and iPad. So I was alarmed when they mentioned in passing that mail handled by the app is routed through Readdle’s servers. That didn’t seem likely at first. Spark is an email client. You tell it what servers handle your mail, and it connects to them to receive and send. The servers belonging to the company that makes the app have no business getting involved in that.

I did some digging. Whether or not Myke was right™ about mail going through their servers, the reality turned out to be much worse.

Digging

I tweeted at the Spark account. Here’s what happened:

I had already found their privacy policy:

OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.

The wording “Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages” suggests that Spark the app needs to log into your server, which it does. But nothing about that says that your credentials will be stored on their servers.

Further down, in point 4, “How Long Personal Data is Stored For,” in a table that includes “Type of information,” we see (emphasis mine) :

Email address, email content for Spark Services, mail server credentials

So there it is. They do store your username and password on their servers, and they do tell you; though only if you read well into the kind of document that notoriously goes unread.

Final Thoughts

For features like “send later” they need to store the fact that you want to send an email at a specific time, and log in to your server in order to send it. And to be fair, I’m sure they can’t be alone in keeping that kind of data. Lots of clients offer “send later” and similar services, and all of them will have to log in to your mail server to work. So they have to store your credentials on their servers to do it.

And consider, if you use Gmail, that means your username and password not just for Gmail, but for all Google’s services, are now stored on somebody else’s servers. Their security might be great, but how do we know?

The more I think about this, the more concerned I become. Passwords should only be stored in one place: a secure, trusted password manager. But above all, these services need to be much clearer about the fact that they’re storing our passwords.

I naively thought that, now that GDPR Day is here, we might see a reduction in annoying cookie popups. (I don’t know why I thought that; I was probably just being hopeful.) But it’s got worse Much worse. Giant, screen-covering popups; “Accept” buttons that don’t work. Oh dear.

This is a form of GDPR email I haven’t seen before (and I’ve seen a lot):

With new data protection rules known as GDPR (General Data Protection Regulation) effective 25th May 2018, we are reaching out to existing customers to notify them that RCP Parking Ltd will be unsubscribing all existing customers from our promotional communications.

RCP Parking Ltd has determined that previously subscribed customers were not subscribed in a manner compliant with the new GDPR regulation.

Refreshingly honest.

The Book of Dust vol 1: La Belle Sauvage by Philip Pullman (Books 2018, 12)

The first volume in Pullman’s “equel” trilogy: part prequel, part sequel, to His Dark Materials. This one is pure prequel, about trying to protect baby Lyra from the forces of the Magisterium.

If you’re already a fan, you’ll want to read this. It’s a real page-turner. If you’re not already a fan, don’t start here, obviously. You’re looking for Northern Lights.

Which I might be just about to start rereading, because that’s what finishing this one makes me want to do.

Office Foliage

(Error loading gallery)

At my desk these are attacking from either side.

(Error loading gallery)

The view above, and the room as a whole.

Norse Mythology by Neil Gaiman (Books 2018, 11)

Gaiman takes on Thor, Loki, Odin, and the rest. Most of my knowledge of the Norse gods comes from Marvel Comics, with a bit of general cultural osmosis (for example, everyone has heard of Yggdrasil the World Tree, right?)1

I enjoyed it, but it feels like a slight work. That’s a shame, because these are mighty tales, or should be. I guess it’s a book meant at least partly for children, but it’s not marketed that way. And even if It’s meant for kids, the telling should be strong.

I suspect that if you already know the tales, this won’t offer much new to you. And that’s where the problem lies, I think. Instead of turning them into real narratives with proper characters, each story is not much more than a summary of the events. So he’s telling us the story of the story, rather than really telling (showing) the story. It’s a shame, because I know Gaiman could have done something much more interesting with these.

I’m probably being too harsh, though. It’s not like it’s bad. I enjoyed reading it.


  1. In searching for the link to put in there, I discovered the existence of Explain XKCD (or just possibly, rediscovered it, as it does seem a little familiar). Which is cool. Some people put a lot of time into contributing to things online, to the benefit of us all, and I salute them.