I was always a little uneasy about in-app payments. If you have your google account set up to require password for purchases (which seems like a prudent thing to me), then it'll ask you for your google password during the in-app purchase. But what's to prevent the app from spoofing the google popup dialogue to steal your password???? Programming a popup to look like google popup and record a password is easy. All they'd lose is the single payment, which is a lot less valuable to me than my password.
So I do watch carefully for that confirmation of the transaction to pop up in my email (usually almost immediately), which makes me feel better that the popup was legitimate and my password hasn't been stolen. To steal my password AND still process the transaction they'd need some kind of man in the middle attack....considering the security built into everything google, I imagine that'd be a whoooole lot tougher to pull off than the simple pop-up input window to steal your password without processing the transaction to google.
What do you think?
Do you agree it would be easy for an app developer to spoof google popup and steal your password (if he's willing to forego the payment)?
Do you think it is safe as long as we get the google confirmation email (or maybe that could be spoofed too...).
Or maybe it's not worth worrying about as long as we have 2-factor authentification?
So I do watch carefully for that confirmation of the transaction to pop up in my email (usually almost immediately), which makes me feel better that the popup was legitimate and my password hasn't been stolen. To steal my password AND still process the transaction they'd need some kind of man in the middle attack....considering the security built into everything google, I imagine that'd be a whoooole lot tougher to pull off than the simple pop-up input window to steal your password without processing the transaction to google.
What do you think?
Do you agree it would be easy for an app developer to spoof google popup and steal your password (if he's willing to forego the payment)?
Do you think it is safe as long as we get the google confirmation email (or maybe that could be spoofed too...).
Or maybe it's not worth worrying about as long as we have 2-factor authentification?
Last edited: