Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't see where he gave permission for the app to post Tweets for him. He gave it access to his Twitter account, but that's not the same thing. To continue your analogy, the stranger was invited into his home, gave him a form to sign that said he could inventory the items there, got it signed, and then proceeded to publish the information in a way that wasn't mentioned on the form.


> I don't see where he gave permission for the app to post Tweets for him. He gave it access to his Twitter account, but that's not the same thing.

It is exactly the same thing. If you give something access to your twitter account, you are giving it the ability to post, and therefore, tacit permission to post.


Ability and permission are not often link like this in real life.

If I walk up and stand two feet infront of someone I have given them the ability to try to punch me in the face, I have not given them permission to do so.

If I utilize a computer repair service and I grant them remote access to a computer at their request I have likely given them the ability to run the equivalent to rm -rf /, but I have not given them permission to.

I can grant a friend access to my house by giving them a key that does not mean I give them the permission to do what ever they want in my house.

In the above three cases there are legal consequences for a party when overstepping their permissions.


You need to see what the permission means within the behavior of similar permissions, and that is written in application guidelines for iOS devices. Here's one way that this app violates the guidelines, hence does something unexpected with the permission:

"17. Privacy

17.1 Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used"


But isn't it written, when you give access to Twitter account, that it could be used to post things for you?


Not really. The Twitter API allows both read-only and read/write access. iOS, as a system-wide grant, has read/write permissions - but apparently does not allow users to specify per-app permissions to be that granular.

Moreover, the app was apparently locking out paid users from any access at all unless permissions were granted, which in itself shouldn't have made it through Apple's vetting process in the first place (exception: twitter clients). The majority of apps will only need access to the "share sheet" for posting to twitter, which AFAIK doesn't require explicit permissions (similar to sending an email; the user must hit send)


I don't know since I don't use the app; from the description given in the blog post it seems highly doubtful that the app specifically told him it was going to post to his Twitter account on his behalf without telling him.

Also the app appears to be in violation of the iOS guidelines (see another post upthread), which means that it is not generally understood that apps can post on your behalf without telling you just because you give them access to your Twitter account.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: