A New App Permissions Bugaboo: What Is The AuthToken Permission?

Send to Kindle


Oooh, what a shocker: today’s Amazon Free App of the Day, Pivvot (note: it’s free today only, anyone reading this after 2/1/14 will find it’s no longer free), is being trashed in 1-star reviews by people who are claiming its permissions list proves it’s malware and/or spyware. Some of those hysterical, paranoid types are going so far as to actually call the app a “Trojan”, despite the fact that they clearly do not understand app permissions at all.

All the app icons pictured and linked in this post are from developers who have been victimized by similar witch hunts. They’re quality apps I own, have used, and can personally vouch for, yet if you click through to them on Amazon you’ll find all kinds of awful, totally untrue claims about them in frothing 1-star reviews.

In this case, the permission the pitchfork- and torch-carrying crowd seems to have their knickers in a twist over is “AuthToken”, which they claim is some kind of device master key that grants the app developer access to read any and all login credentials you may have stored on your device or which you may have previously entered in other apps (e.g., logging into the Facebook mobile app, or logging into your email from your portable device).



AuthToken Was Created Specifically To PROTECT Consumers

The AuthToken permission was created so that app developers could add in-app connectivity to secure sites like Facebook, Twitter, Imgur and so on without having to ask the consumer to provide his or her login credentials for those sites to the app developer. Any app with so-called “social features”, like posting updates to Facebook or Twitter, or being able to play against Facebook friends for example, may be using the AuthToken permission to make those functions possible. Here’s how AuthToken works, in a nutshell.

Instead of asking the user to provide his or her username and password for an outside, secure site (like Facebook) to the app itself and then storing that information within the app (or sending it back to the app developer), apps that employ AuthToken fetch and display the secure site’s own login box, which means the consumer’s username and password for the secure site are ONLY being “seen” and “read” by the secure site itself.

Once the user has logged into the secure site via that site’s own login box, AuthToken stores a “token” that tells the app the user’s login credentials for the outside, secure website have been validated by that site. In turn, this tells the app the user is logged into the outside site and can now interact with that site.


The Correct Question Ask Is NOT “Isn’t It Possible That…?” The Correct Question Is, “How Likely Is It That…?”

Almost without exception, the assumptions being trotted out as if they were facts in scathing 1-star app reviews from ignorant consumers rest entirely on a foundation of “it’s possible”. Like, “Such-and-so permission could be used to gather your private data!”

And matches could be used to burn down your house, or to light your barbecue grill; do you assume anyone who brings a lighter or book of matches to your home intends to commit arson? It’s also possible that Amazon could be selling all its customers’ stored credit card information to a teenage hacker in China, but how likely is it, when Amazon’s entire business model rests on building and maintaining customer trust?

Obviously, there are hackers and scammers in the world who ARE abusing perfectly reasonable and legitimate permissions to do their dirty work. But that doesn’t mean every developer who uses those same permissions is a hacker or scammer. Hacks and scams are a one-off business: the bad guys hang out their shingle and do as much damage as possible as quickly as they possibly can, then they disappear as soon as suspicions are aroused. App developers who are actually running an app development business aren’t going to put their entire operation at risk to make a quick, criminal buck.


How To Tell How Likely It Is

First of all, if you’re getting your apps from Amazon or iTunes, those apps have all been pre-screened and vetted by Amazon or Apple employees. Both of those stores are heavily invested in ensuring customers like and trust their app stores, so they’re not taking chances on listing questionable apps. You will still find some apps that push the limits on acceptable permissions, but there has yet to be a single instance of true malware found in any app obtained from iTunes or the Amazon App Store. Lots of people will claim this or that app is employing “spyware”, but every time I’ve investigated such claims I’ve found them to be totally untrue.

Secondly, if the app description includes positive reviews from trusted app experts, such as TouchArcade, IGN or PocketGamer, you can count every one of those endorsements as a vote of trust and confidence that the developer is not a hacker or scammer.

Third, if the app developer has more than one app listed and overall, most of those apps have a positive review rating, it’s pretty unlikely the developer is going to risk the whole ball of wax by releasing one app that’s up to no good.

Fourth, if the app developer has been around for a while (check the release date on their app(s)), they are clearly not one of those fly-by-night operations that’s just looking to get in, rip you off, and disappear.

Finally, and most importantly: EDUCATE YOURSELF ABOUT APP PERMISSIONS. I’ve decided that I need to write and publish The Digital Media Mom’s Guide To App Permissions In Plain English, because consumers apparently aren’t getting this information anywhere else. My permissions book will be short and therefore I’m only going to price it at 99 cents when I publish it, but the same stuff is already available from many different sources online, for free. For example, see this very helpful, free guide from Patrick Cousins. Note that the guide is in PDF format.


Internet Cranks Love Feeling Like Important Authority Figures Much More Than They Love Actually Helping People

Don’t just take the word of some internet crank who sets him- or herself up as some kind of expert on the tactics of hackers and scammers (and clearly gets a lot of ego gratification from playing that role).

Anytime someone asserts a “fact” about the activities or performance of an app they haven’t even used, you can disregard that review entirely.

Anytime someone asserts that a given app IS actually doing nefarious things, yet provides no proof of the claim, you can disregard that review, too.

Also feel free to disregard a negative review that’s based solely on some alert or red flag that was raised by a totally separate ‘scanner’ app; I’ve already written at length on why scanner apps are useless and misleading, and isn’t it ironic that the same town crier who’s only too happy to assume the worst about every other app in the world trusts his or her scanner app without question?

Anytime someone who’s posted a 1-star review reacts to an opposing viewpoint with anger, personal attacks or a statement implying that the other person is somehow in league with the bad guys, you can go ahead and disregard that review as well. After all, if the 1-star reviewer really IS there just to be helpful, wouldn’t he or she welcome new information, and be open to the possibility that he or she made a mistake, or jumped to a wrong conclusion originally? Why would he or she be so invested in undermining opposing viewpoints?

We all know about the types of people who love power-tripping on internet discussion boards and sites like Facebook by taking potshots at anyone who dares to disagree with them, but a lot of consumers don’t seem to realize those kinds of people love shouting other people down on Amazon, too. Anytime I click through on the Amazon profile of a 1-star reviewer and find the reviewer overwhelmingly leaves 1-star app reviews, always filled with suspicions being presented as fact, I tend to harbor a suspicion of my own: that the reviewer is just using Amazon App Reviews as his or her personal power-tripping pedestal.


Be sure to watch for all the ‘not helpful’ votes on my Amazon app reviews, because the self-appointed app police really don’t like it when I try to point out logical and fact-based reasons why their reviews are unfair or just plain wrong. Bonus points if there’s a comment saying the only reason I’m disagreeing with the paranoid hysterics is that I’m trying to sell books, or have been paid off by evil app developers!

Seriously, this has become so predictable that you could make a drinking game out of it.


Related Posts:

Stop Freaking Out About Ads In Apps, And Stop With The Undeserved 1-Star Reviews!

Scary-Sounding App Permissions That Aren’t Really Scary At All

Not All Information Gathering Is Spyware

Most Of The Time, It’s NOT A Virus


Print Friendly


  1. Comment by in1ear JOHN:

    Thanks for making it clear upfront. I’ looking forward to your guide to app permissions.

  2. Comment by Terri Bynum:

    This is why I DIG you SO much! You tell it like it is and today especially, you fed those alarmist nay sayers some humble pie & went to bat for the creators of the apps that are getting the bad reviews.

    Do these people not realize the potential damage that they can do by spouting off about an app without gathering all pertinent info first? The power of a bad review is scary!

    Thanks a bunch & please keep doing what you do!