Security

Jan 28, 2010 at 10:13 PM
Edited Jan 28, 2010 at 11:34 PM

It's probably a false positive, but Symantec antivirus 20091.2.0.41 says there is a 'Supicious.Insight' virus/malware in the v1.2 setup file. This raises several related questions concerning security:

  1. How do we know for sure there is no virus/malware in every release?
  2. Is there any way not to input the Google password into the software, say using oAuth Authentication (or OpenID/session cookies/key/going back to Google website) for sign in?
  3. If not, if a hacker breaks into the computer and get the password encrypted by the software, can it be decrypted?
  4. If the software has a bug in future will the password be leaked?
  5. How do we know the password is not transferred by the software to elsewhere other than Google Reader?
  6. How to confirm the software accessing only Google Reader but not any other Google services i.e. not doing anything it's not supposed to do?

Sorry this sounds skeptical, but supplying a Google password means so much personal data are at risk. Normal users do not have the time and expertise to examine the code line by line, so how do they know the above? Can there be an independent verification for every release, say by Softpedia?

By giving users more confidence in its security, this great software can be more wide-spread. Thanks.

Coordinator
Jan 29, 2010 at 6:42 AM

Hi syy,

thanks for your post. The installer and stuff I do here in this project is checked on two completly separat machines (one with Windows 7 and Free AV and the other with Win XP SP3 and Norton (which doesn't give me a warning).

  1. I think I will have a look at Softpedia and what they are offering
  2. Currently not - I just read that Google provides an OpenID login but this also means that you need to enter a password... I think there good be a theoretical approach in using the session token out of a browser session but this would need the user to copy and paste it somewhere out of the browser windows
  3. If the hacker just gets the settings file he won't be able to decrypt the password (it's encrypted using the build on mechanisms of .NET and bound to your login - see http://msdn.microsoft.com/en-us/library/system.security.cryptography.dataprotectionscope.aspx (scope is CurrentUser)). If the hacker takes over control of your account he might be able to decrypt it (while in this case he also should use a keylogger...). And there is always the option to not save the password on the harddisk :)
  4. The password is used exactly once within the program - during login. Afterwards all communication with Google (which is done all over SSL by the way) is based on the Token I got on the initial login.
  5. It's Open Source and the password is only used once at login - so if someone wants to be sure he could parse all places in code when "Properties.Settings.Default.LoginPassword" occurs as this is the place where the password is read and follow its (short) trail
  6. Once again it's completly Open Source - I will have a look at Softpedia what they provide (I know I saw some banners from then here and there)

I am not a security expert so - if you are or know one willing to have a look at the code under this view you are welcome :)

Coordinator
Jan 29, 2010 at 6:48 AM

Oh - Softpedia already knows about Desktop Google Reader (see http://www.softpedia.com/get/Internet/News-Newsgroups-Blog-Tools/Desktop-Google-Reader.shtml) and confirmed it's security for 1.2 Beta 1. I just send an update request to them :)

Coordinator
Jan 29, 2010 at 7:03 AM

Oh, I have Symantec instead of Norton - it's Symantec 10.1.4.4000 with newest definition and scan engine

Jan 29, 2010 at 7:18 AM
Edited Jan 29, 2010 at 7:20 AM

Thanks. Great to have Softpedia inspect the software. Keep it up for new releases.

The suspected virus comes from this report: http://www.virustotal.com/analisis/8b0c566a24070516b604229a1f30e940cb3e583a5117591e39eff99fed4bba01-1264710282

oauth probably is the way to eliminate entering the password in the software. http://mageuzi.com/trowl/ can do it.

OpenID brings the user back to a Google page to enter the password, so it is acceptable.

Coordinator
Jan 29, 2010 at 8:20 AM

I am using OAuth myself for my Twitter Snarl style - I am curious but don't see there is a way to use it also for Google Reader!?

Jan 29, 2010 at 9:54 PM

So probably something normal triggers the virus/malware falsely identified in http://www.virustotal.com/analisis/8b0c566a24070516b604229a1f30e940cb3e583a5117591e39eff99fed4bba01-1264710282.