An app promising free likes and followers for Instagram users has harvested the usernames and passwords from over 100,000 people who downloaded the app since June this year. The Apple and Google approved InstLike app directly asked users for their login credentials rather than using the Instagram API, and created a massive ecosystem of botnets that would like random photos and follow random users.
Security firm Symantec subsequently alerted Google and Apple, who have both removed InstLike from their respective app stores.
This story serves to highlight what can be a tricky situation for both app developers and app users. Any third-party app that you download to enhance or expand your use of a service such as Instagram (or for that matter Facebook, Twitter etc) would need you to login to your account. However, how do you know who you can trust?
If the app developers are playing by the book, any logging in to a network should be done through that respective network’s API. However in reality it’s not hard for people to create something that looks very similar to those login screens, which might convince the slightly less privacy conscious users that they’re logging in through the normal channels. This appears to be what we’ve seen with InstLike, which saw users submitting their usernames and passwords directly to the developers.
It’s tough on the legitimate app developers as well as the users, as stories like this foster an environment of distrust against any app that requires the user to login via an online account. Adhering to the APIs is one thing, but making sure that your audience realises that you are one of the good guys is another.
With more people choosing to remain logged in to their accounts on their own devices, it’s easy what the actual login screens look like. Just to refresh your memory, here are how five of the most common login/authorisation screens appear:
At SocialSafe your privacy, trust and peace of mind mean a huge amount to us. That is why we never see nor store any of your data, nor do we ever have access to any of your login credentials. All of the content that you choose to back up from your social networks is downloaded directly from the host network in adherence with the respective APIs, and it is stored on your own machine where you have complete control over your data.
If you ever have any questions about how SocialSafe works and what this means in terms of privacy and social network access, then we are always happy to talk to you about this. Just get in touch via one of our social platforms (Facebook, Twitter, LinkedIn, Google+) or leave a comment below.