K131
Level 1 (4 points)
iPad

Q: App asks for Apple-ID password; Is that legitimate?

The app "App for WhatsApp One" for iPad asks for the apple-id password on startup. This seems rather problematic to me; By disclosing that password to an app I am basically trusting them not to abuse it to hijack my account, which seems to be asking a bit much. Is this even possibly legitimate?

 

I assume that it is meant to simplify access to WhatsApp Web for the app and user, allowing some kind of authentication communication between WhatsApp on an iPhone and the third-party client on the iPad, but given that I was planning to use it with an Android phone, it simply makes no sense to provide my Apple-ID password.

 

So I was wondering if there is any way to verify if a password popup is displayed by an app (disclosing sensitive user credentials to a developer) or by the system (only giving the app some restricted access token).

 

Most services explicitly state that you are obligated to keep your password secret from anyone but yourself, so being asked for my apple ID – not with the normal prompt as used by in-app purchases, because then it would default to Touch ID – seems pretty unsafe.

 

Related: http://www.cultofmac.com/263390/app-stores-dirty-secret-apps-can-ask-apple-id-lo gin/

iPad Air, iOS 10.0.2

Posted on Oct 21, 2016 11:12 AM

Close
K131

Q: App asks for Apple-ID password; Is that legitimate?

  • All replies
  • Helpful answers

  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT Oct 21, 2016 11:15 AM in response to K131
    Level 6 (8,476 points)
    Mac OS X
    Oct 21, 2016 11:15 AM in response to K131

    you'd need to ask the developers, but more importantly you'd need to trust them

    IMHO trust is always earned before it's freely given.

  • by Michael Black,

    Michael Black Michael Black Oct 21, 2016 11:29 AM in response to K131
    Level 7 (25,330 points)
    Oct 21, 2016 11:29 AM in response to K131

    I have never used a 3rd party app that asked for my AppleID password, and I never would.  I assume this is because "App for WhatsApp One" provides the function to FaceTime call directly from within the App?  Even so, they should not need to cache or store your AppleID password as they could simply have FaceTime prompt for it when needed.

     

    To my way of thinking, that's like a credit checking app asking for your Bank login password.  FaceTime already has my AppleID password cached itself, from when I first signed in to the service on each app, so why would any 3rd party app need it just to launch an Apple App or service?

     

    P.S. Apple's own security suggestions run counter to ever sharing your AppleID password with any 3rd party (app, person or web site) for any reason - Security and your Apple ID - Apple Support

  • by K131,

    K131 K131 Oct 21, 2016 11:31 AM in response to Michael Black
    Level 1 (4 points)
    iPad
    Oct 21, 2016 11:31 AM in response to Michael Black

    Brings up the next question... If that prompt is decidedly unnecessary, why was the app even allowed into the AppStore like that? Given the behaviour (enter you AppleID password, or see nothing of the app) it definitely LOOKS like scam (even if probably it isn't).

  • by Michael Black,

    Michael Black Michael Black Oct 21, 2016 12:20 PM in response to K131
    Level 7 (25,330 points)
    Oct 21, 2016 12:20 PM in response to K131

    That I cannot say as I do not know the details of Apple's App vetting process.  I do know there have been 3rd party apps for eMail, and if those support iCloud IMAP mail, then you have to provide your iCloud password to the app for it to access your mail.  So it may not be inherently forbidden for any App to request it.  I just know I would not use any such app though (and I use both 2-step verification and 2-factor authentication with my AppleID, but I still see no reason to ever give those credentials to any third party).  I would either simply live without whatever features the app offered, or find an alternative.

  • by K131,

    K131 K131 Oct 22, 2016 2:43 AM in response to K131
    Level 1 (4 points)
    iPad
    Oct 22, 2016 2:43 AM in response to K131

    Turns out, that "not being able to see anything of the app" was actually related to a server problem of whatsapp. So even without entering the iTunes password, the app works. Which somehow even more raises the question why there is a pop-up for the password.

     

    Currently I assume a bug, because the app falsely thinks I had purchased the Pro upgrade.