Earlier this week, my colleague Simon Phipps discovered several fraudulent apps on the Apple App Store.
He was able to reach one of the developers, who claimed his Apple
developer credentials had been stolen, and someone else put up the fake
version of Quickoffice using those credentials.
If those credentials were stolen, they didn't need to be —
Apple has a strong second-factor authentication system in place to
prevent account hijacking. But it was rolled out only in the last year,
so many developers may not have implemented it, relying instead on the
still-available, basic security system that isn't as secure.
Microsoft
doesn't enable second-factor authentication by default, but it lets you
enable that feature in your Microsoft account management page.
Otherwise, it uses email to alert you to any changes made, though it
will require that you enter a code sent to your email when you try to
use a new computer or device for the first time to manage your account, a
sort of ad hoc second-factor validation.
Android
developers can also use second-factor authentication to secure their
Google Play accounts, but the method is much harder to do find than with
Apple and Microsoft. Even new Google Android developers are probably
going with the less-secure method that Apple also long employed: a
second email to send alerts about account changes.
Receiving an
email that tells you someone updated your account is better than
nothing, but doesn't prevent a hijacking — it merely lets you know
you've been hijacked. At that point, you have to wade through the
automated systems at both Apple and Google to recover your accounts.
All
the while, your legitimate apps' payments may be going to someone else,
and that person can use your credentials to publish fake apps and even
malware. (The fraudulent apps that Phipps discovered this week have
shaken my faith in Apple's vaunted app review process. Clearly, it's not
all it's claimed to be.) Second-factor authentication is no cure-all, but it's a good baseline.
Securing your Apple developer account
In
Apple's case, you register an iOS device as your second factor, so any
account changes have to be validated from that device, similar to how
Apple uses your iOS devices and Macs as a second-factor authenticator
for changes to your iCloud account. You still have to know the first
factor: your account password.
This is the same system Apple
provides for all Apple IDs, not only for developer accounts, so you
should also use it for your personal Apple ID. In addition, you should
not use your personal Apple ID as your developer Apple ID, even with
second-factor authentication in place. In case one account is
compromised, why risk the other?
To set up second-factor authentication, go to the Apple ID password and security page (sign
in with your user ID and password, of course). Have your iOS device at
hand (I recommend using an iPhone to get verifications no matter where
you are). After you sign in, click or tap the Get Started link under the
Two-Step Verification heading. Follow the prompts. It's that easy!
Enabling second-factor authentication for an Apple ID Apple also provides a recovery key for use if you've forgotten
your password or lost your device, acting as a substitute factor for one
of the two (but not both at the same time). I suggest you save the
recovery key in a separate system, whether in iCloud Drive linked to
your personal Apple ID or to a separate service like 1Password, Dropbox, Box, or Evernote that employs a different password and perhaps even user ID than your developer Apple ID.
Keep
in mind that Apple will make you use the second-factor authentication
every time you make an account change in the future, even from the
computer or device you always use. That's a pain, but it means a stolen
MacBook can't be used to bypass second-factor authentication
requirement, as is possible with Google's approach.
Securing your Android developer account
It's
not so easy to secure your Android dev account. You won't find links to
enabling second-factor authentication in the Play Store's developer
accounts page, for example. But Google has a second-factor account creation page; I found it via Google search, then parsing a help page that buried the link. You can skip the goose chase by using the link here. You'll of course have to sign in with your account credentials.
Follow
the prompts to set up the second-factor authentication. (You can apply
second-factor authentication to any Google account, not only your
developer account.)
Google's second-factor authentication works
like that of many banks: You get a text message or phone call with a
one-time code that you then enter on the website from which you are
trying to make an account change.
Enabling second-factor authentication for a Google account You can tell Google not to require a code from that specific
browser on that specific computer in the future, so you don't have to
use the second factor every time you make a change — only when you (or
someone else) tries to make a change from another device. Of course, if
you disable the code requirement on a computer or device and someone
steals it and knows your ID and password, you're no longer protected by
that second factor.
I strongly recommend you use a different
Google account as your Android developer credentials than you use for
personal Google services. That's a pain in the Google world, I know,
because Google likes to automatically use the current ID on all its
services; it will even transfer calendars and so on to the current
account if you let it.
Switching between Google accounts is not
simple, since Google usually asks several times — and its prompts are
designed in a way that you can easily but accidentally transfer your
data from one account to another. (Google wants you to use one account
so that it has that complete picture of you for data-mining purposes.
That's not safe for you.)
Still, given how extensively Google
accounts are used by many providers' services, they're a big target for
cyber thieves. Keeping work and personal accounts is even more important
for Google account holders. It's a necessary pain.
Securing your Microsoft developer account
Should
Windows Metro apps ever take off, such as after Windows 10 is released
next year, you many want to develop apps for the Microsoft Store as
well.
It too has a second-factor authentication method: the
Microsoft Authenticator app you can run in Android or Windows Phone or
the Google Authenticator app you can run in iOS. You need to download
the appropriate app to your device, sign into the Protect Your Account security management page, then click or tap the Set Up Two-Step Verification link in the Two-Step Verification part of that page.
Again,
follow the prompts to select your authentication device and pair it
with your Microsoft account. You'll then need that device to confirm
account changes via the authenticator app.
Enabling second-factor authentication for a Microsoft account At the risk of sounding like broken record, I
strongly urge you to use a separate Microsoft account for your
development work than you do for your personal account. Note that
Microsoft will by default associate your developer credentials to any
Microsoft account you're already using, so be careful not to let it do
that. Be sure to sign out of your Microsoft account if you start the
registration process from a personal account, then create a new one to
register as a developer.
Hello, my name is Mohd Azahar. I'm a self-employed Pivrate from the India.
No comments:
Post a Comment