Open in app

Sign in

Write

Sign in

Social Login & 3rd-Party App Authorization

Alan Golman
6 min readJul 12, 2018

--

How often when you download a new app and are in the process of creating a new account do you see “Log in with Facebook” or “Log in with Google”? Almost all of the time now, right? It has become standard practice to be presented with two options: Connect to Facebook or manually create an account by entering information such as a username and email. Given our human tendency to be lazy and seek the easiest choice, most of us elect to log in with our Facebook or Google account. Doing so saves us the trouble of having to go through yet another account creation and memorizing several passwords (or not if you just use the same password for everything).

Typical social login options displayed when creating a new account or logging into an existing one.

It seems innocent enough, but there is a catch: Whenever you link your Facebook account (or any other social media account) to a third party app, you’re giving that app permission to access information from some part of your profile.

What is Social Login?

Social login is a form of single sign-on using existing information from a social networking service such as Facebook, Twitter or Google+, to sign into a third party website instead of creating a new login account specifically for that website. It is designed to simplify logins for end users as well as provide more and more reliable demographic information.

By selecting the desired social networking service, the user simply uses his or her login for that service to sign on to the website. This, in turn, negates the need for the end user to remember login information for multiple websites while providing site owners with uniform demographic information as provided by the social networking service.

Logging in to a website using a service such as Facebook or Google allows the website to make a request for data about you. Facebook and LinkedIn both hold quite a lot of data about us: birthday, email address, employment, college attended, photos, and information that your friends have posted about you (tagged photos, for example). By saying yes to that request, you are adding one more tiny bridge between the virtual islands of your online self.

But how exactly do third-party websites link to a social networking service such as a Facebook or Google?

Open Authorization

Huge tech companies use a standard called OAuth, which is a protocol that allows third-party websites to access and retrieve select pieces of its users’ information in order to authenticate users. In other words, OAuth is a service that allows web giants like Google or Microsoft to permit its users to share their own select pieces of information with third-party websites or apps. Most of the time when electing to use social login, the third-party website or app lets us know what information they are requesting access to.

Most third-party websites (that require you to have an account) understand the reluctance of users to create new accounts. In order to ensure that they do not lose out on such ‘reluctant’ users, these third-party websites implement the OAuth standard in their system.

So How Does OAuth Work?

Suppose you are a user and need to sign up/create an account on a third-party website or application

  1. First, you click on the “Sign up with Facebook” button.
  2. It redirects you to Facebook.com and checks whether you are already logged in to FacebookIf you’re not, then it prompts you to enter your username and password to access your account. Once logged in, it shows you a small dialog box that describes the kind and extent of information that you’ll be sharing with the third-party website.
  3. After pressing the ‘Continue’ button, Facebook redirects you to the third-party website with an authentication code, which is basically Facebook’s way of telling the website that you hold a valid account with them.
  4. The website now shows Facebook the unique code it acquired when it first registered itself with Facebook as a legitimate website/application. Facebook uses that code to verify the identity of the website, and in return, grants an access token to the website. It is this token that the website uses to gain restricted/limited access to some of your account information, usually consisting of your name, email address, gender, etc.

In a nutshell, OAuth basically lets you give third-party websites a special key that opens only one door of your house and simultaneously protects the master key (i.e., the username and password of Google/Facebook), which can open all the doors of the house.

Data Collection & Cambridge Analytica

When it comes to the data that Facebook in particular has about each of its users and what it allows third-party apps to have access to, the social media giant has a strict Platform Policy that outlines what developers of third-party apps can and cannot do. With regards to data, third party apps are required to “provide a publicly available and easily accessible privacy policy that explains what data you are collecting and how you will use that data.”

All apps that ask for detailed information about Facebook users are required to go through an app review process where they must justify why that information is necessary for the app. Approval is only granted if apps can show that the information they are requested will be directly used. If this is the case, then how is it possible that political consulting firm Cambridge Analytica was able to collect user data from over 50 million people?

April 21, 2010: Facebook launches a new platform called Open Graph that allows external developers to reach out to Facebook users and request permission to access a large chunk of their personal data, including access to their Facebook friends’ personal data too. If accepted, these apps would then have access to a user’s name, gender, location, birthday, education, political preferences, relationship status, religious views, online chat status and more.

2013: Cambridge University professor Dr. Aleksandr Kogan and his company Global Science Research create an app called “thisisyourdigitallife”. The app prompted users to answer questions for a psychological profile. Almost 300,000 users were paid to take the psychological test. The app not only collected the users’ personal information, but also that of all of their Facebook friends, thus resulting in Kogan having access to the data of millions of profiles.

2014: Facebook adapts its rules to limit a developer’s access to user data. This change was made to ensure a third-party was not able to access a user’s friends’ data without gaining permission first.

Targeted Advertising

The data held by social platforms and service providers like Google are incredibly valuable pieces of information for creating a virtual profile of our lives. Our online habits and preferences are all tracked and used against us whether we realize it or not. Google tracks your online habits through search queries, its Chrome browser and more, building demographic profiles it then sells to companies who want to buy advertising on Google products, from Gmail sidebar ads to sponsored search results.

The more data ecosystems that are connected, the more a company can know about us and the more we continue be their product, helping to maximize their profits. I know that I have fallen victim to this practice after clicking on an ad just once and then seeing the same product being shown to me wherever I go online whether that be on my Facebook page or anywhere else that displays ads on a side bar.

By using social log-in we are adding data ecosystems to a company’s reach. It is for this reason that users must be vigilant and aware of their online activity and to the information they allow certain websites to have access to.

To Conclude…

People use Facebook and Google log-in because it’s easier than creating a new account. The benefits of sailing smoothly past log-ins and account registrations often mean we’re happy to trade away some data privacy. However…

  • Be aware that if you choose to log in with a social account, your data will be shared between the social network and the third-party app. Stay updated on your social networks’ privacy policies, and use the social log-in accordingly at sites you feel comfortable sharing data with.
  • Don’t use your main account to log in to a site whose security you don’t trust.
  • Don’t link a social profile to sensitive info like your Social Security number or financial details. In these cases, a separate account and password is your safest bet.

Stay safe!

Security
Oauth

--

--

Alan Golman

Written by Alan Golman

12 Followers

Inquisitively learning how to become a better programmer, one line of code at a time

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams