A practice that I’m seeing that’s unfortunately common in mobile apps is to require a social media or otherwise widely used account type for login. Often there is no other option.
For example, I see a lot of apps that only have an option to “Log in with Facebook”. Another common one is “Log in with Google” – even on iOS.
Intuitively, this presents a serious risk to the user’s Google account (on iOS) or Facebook account.
Typically, these apps will open a web browser and ask you to log in. This presents an obvious problem. What if the app opens a fake site, or even presents the login within the app itself to avoid a untrusted site identity warning?
Obviously, this won’t fool someone who’s tech savvy, but it will probably work on 80-90% of the population. There’s also no guarantee that the app won’t attempt to intercept login info even if it launches a browser with a legitimate connection to Facebook/Google/whatever.
In case you think this can’t happen on iOS (due to strict vetting), think again. I recall reading an article in 2019 about iOS app malware avoiding the screening when a developer first sets up an app with no malware, then later updates the app, adding the malware. Supposedly Apple doesn’t screen updates as closely, probably because it would be cost-prohibitive.
Another myth that should be busted pre-emptively: “There’s no risk if the app is from a well-known and well-respected vendor, because they will get sued out of existence if they start hacking peoples’ accounts.” The rebuttal: People give well-known trusted businesses their credit card info for payment all the time. Sometimes, those businesses get hacked and payment info leaks, forcing customers to scramble and cancel their cards.
The question: Does this third-party login scheme that’s rampant in a lot of apps pose a serious security risk that could compromise the user’s Facebook/Google/whatever account?
P.S.: The painfully obvious solution is to have each mobile OS app store require all apps allow their respective phones’ account type as a login option. iOS devices are designed to work with an iTunes or iCloud account, and Android phones are designed to work with a Google account. There’s no reason why developers shouldn’t be required to leverage that built-in feature for user convenience and security.