Google Notifier for Mac OS X is really handy. Having had it, I rarely miss emails to my Gmail account as it is really quick to see when a message comes in and if I need to address it immediately. However, this program connects to Gmail and authenticates over plain txt through HTTP. It also gets any emails messages over the same unencrypted method, whereby it pops up a nice growl notification of the email that was just delivered.

Horrified yet again at being let down by an application I love, I did some digging and found you can actually secure this. There is no option in the application … common devs WTF! However, you can edit the plist file manually and enable a variable to switch to HTTPS. Here is how you do it in Mac OS X:

• Double click “Macintosh HD” (or whatever your hard drive is called)
• Click your username under “Places” (we are navigating to your user’s home directory)
• Double click “Library” under your home directory
• Double click “Preferences”
• Find the file “com.google.GmailNotifier.plist” in this location and double click it, it should open in a program called “Property List Editor” which is a plist editor for this particular kind of file
• You will see a “Root” under the “Property List”, expand it (click the arrow next to Root) so you see all the “Child” variables to “Root”
• Highlight “Root” then click “New Child” then enter the name “SecureAlways” (without the double quotes)
• Make sure the “Class” section for “SecureAlways” says “String”, if not, use the pull down to change it as such
• Enter in for the value section of “SecureAlways” “1″ (without the double quotes)
• Quit and click “Save” when prompted
• If open, you will need to turn off, then turn back on the application

Now after having monitored my traffic, the entire application runs through HTTPS. I don’t understand you devs putting in these variables in, having the code to handle it, and then not having the option available in the application preferences! Common guys give us the warm fuzzy of knowing we are safe and secure!

This has probably been shown a ton through forums and news articles but I wanted to make sure to reemphasize the need for security with Gmail. Gmail is great, there is no doubt about it, and I love and use it every day. Though you need to be aware that, while logging into the interface at Gmail’s website initially starts with SSL and HTTPS authentication for the password, you are immediately dropped out to a plain text HTTP session during your time logged in.

After the initial login, secured, the system uses a session based tracking method for making sure you are … who you say you are. This is also so you don’t have to keep entering your password for every click in the interface. While on the surface it seems reasonable to only need security logging in since the password itself is secure. However, anyone sniffing your network traffic can grab the session based data in transit as it isn’t encrypted. It is then trivial for an attacker to use your session data and enter your account without authentication. From there, they can read your mail and wreck all kinds of havoc on your account.

This is why it is important to setup HTTPS when using Gmail. Once logged into Gmail:

• Go to Settings
• Next to “Browser connection”, click the radio button next to “Always use https”
• Click “Save Changes” below
• Log out then log back in

This will now make your entire session through secured HTTPS transmissions, from the password exchange to the session exchange.

I have come to love Twitterrific and while realizing some security issues I was having with Google’s Gmail Notifier, I uncovered yet another security concern. It appears that Twitterrific does not connect to the Twitter service via HTTPS, and rather, connects via HTTP and authenticates over plain text! WTF IS THIS!

I looked all through preferences just to make sure I didn’t miss somewhere, but, nope, no option to enable SSL or encrypted logins. I can understand downloading updates after an initial encrypted login is made for overhead on Twitter, but the clear text HTTP post for passwords is crazy! I had to do some digging and here I found how to correct this via the command line in Mac OS X:

defaults write com.iconfactory.Twitterrific protocol -string “https://”

I did one better and found a way to do it, “graphically” for those too afraid to mess with the command line in Mac OS X. It essentially does the same thing as the command line above. Here is how:

• Double click “Macintosh HD” (or whatever your hard drive is called)
• Click your username under “Places” (we are navigating to your user’s home directory)
• Double click “Library” under your home directory
• Double click “Preferences”
• Find the file “com.iconfactory.Twitterrific.plist” in this location and double click it, it should open in a program called “Property List Editor” which is a plist editor for this particular kind of file
• You will see a “Root” under the “Property List”, expand it (click the arrow next to Root) so you see all the “Child” variables to “Root”
• Highlight “Root” then click “New Child” then enter the name “protocol” (without the double quotes)
• Make sure the “Class” section for “protocol” says “String”, if not, use the pull down to change it as such
• Enter in for the value section of “protocol” “https://” (without the double quotes)
• Quit and click “Save” when prompted

When you restart Twitterrific, it will start connecting via HTTPS.

I don’t get why the developers put this in the plist if they didn’t at some point expect to have that functionality used. If that was the case what is with the lack of an option in the configuration area for this tool? At any rate, pissed off as I am that it has been doing this for so long, but now its secure, I guess I am now going to have to audit all my passwords again … sigh.

Oh and a major plug to the makers of Little Snitch, Objective Development! You can pick up this software here. Without that program, I probably would never have suspected such a glaring security issue was occurring. Pretty handy little program.

I hope this isn’t the case with the iPhone version of Twitterrific. I don’t like having to check behind every damn tool or application I use. In this day, it is simply inexcusable to not think about security first in your application development.

**** Update ****

Okay so I guess I am an idiot for not reading the “Read Me” file in the Twitterific download. It states:

protocol -string “http://” Allows Twitterrific to be configured for other protocols, such as “https://”.

Which is basically what I outlined above. I received an update from their support stating that the next version will have this by default for both clients, Mac and iPhone. So hopefully that comes very soon! Good work guys!