touch-packages team mailing list archive

Thread
Date

[Bug 1479747] Re: An app can see whether you have an account without permission

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Alberto Mardegan <1479747@xxxxxxxxxxxxxxxxxx>
Date: Thu, 30 Jul 2015 11:16:16 -0000
Reply-to: Bug 1479747 <1479747@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The OA API is designed in such a way that hiding this information is far from being a trivial task.
We are working on a new version of the API, which doesn't have these shortcomings. That will be the only accounts API provided with framework 15.10 and later.
Unfortunately, in order not to break compatibility for apps using older frameworks, we cannot simply remove the old API; if this bug is considered worth it, we can work on turning the old API into a wrapper for the new one, so that it will still continue working but it won't provide any info about the accounts which the application cannot access.

--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-system-settings-
online-accounts in Ubuntu.
https://bugs.launchpad.net/bugs/1479747

Title:
An app can see whether you have an account without permission

Status in ubuntu-system-settings-online-accounts package in Ubuntu:
In Progress

Bug description:
Ubuntu 15.04 r74

1. In Online Accounts, set up a Google account.
2. Install the Calendar app.
3. From the Calendar app's kebab menu, choose "Calendars".

What you see: Your Google account is already listed as a calendar.

What you should see: The Google account is not listed, because you
haven't given permission for the app to know that it exists.

This is a privacy violation: it means that a service can see whether
you have an account with a competing service when that's none of their
business. For example, it means that a Facebook app could tell whether
you have a Twitter account, or vice versa; a Flickr app could tell
whether you have an Instagram account, or vice versa; a Strava app
could tell whether you have a Fitbit account, and so on.

<https://wiki.ubuntu.com/OnlineAccounts#App_access>: "An app should
have no idea whether you have any accounts of a particular type stored
in Online Accounts. It should merely ask for access to an account of a
particular type."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-system-settings-online-accounts/+bug/1479747/+subscriptions

References

[Bug 1479747] [NEW] An app can see whether you have an account without permission
From: Matthew Paul Thomas, 2015-07-30