Connected App Hygiene
Overview: Don't let orphaned apps degenerate into an unlocked back door to your account.
About This Lesson Plan
Review date: October 9, 2017
Lesson duration: 30 minutes
Introductory. This is a great exercise to do as a group. Sometimes people need to convene and be reminded together to do this little bit of homework. This could also be a great icebreaker to a longer and more challenging lesson -- everyone will leave knowing that they got something done! Think of it as an install party, for uninstalling.
What materials will participants need?
Everyone should have their laptop.
What materials will the instructor need?
You want some way to share links with folks. https://etherpad.opennews.org/ is handy for that, or you can send out this URL in advance.
How should the instructor prepare?
Review the recommended reading.
Take stock of any social networks that your own office is active in that aren't on this list and find the privacy settings and connected apps for that network. Consider filing an issue or pull request if those instructions should be part of this lesson plan.
Imagine that every time you gave someone a key to your place -- an overnight guest, a contractor, a cleaning service -- that key continued to work even after you changed your locks. And imagine the last contractor you gave your keys to hung it on a board full of keys, with your address on the tag. Picture the contractor throwing a party in their shop. Or quitting the contracting business and opening a bar without ever clearing up that key wall. Abandoning the whole warehouse to go find themselves at Naropa. Those are your connected apps. Side doors to your social media accounts that stay open, even if you change your password.
Even if you have great password policies and two-factor authentication in place, you might be vulnerable to some hacks if you've left old apps connected to your social media accounts.
So go through the apps connected to your social media accounts and make sure that they're all things you're still using. Disable anything you aren't using anymore. Be ruthless.
It is worth taking a moment to take a look at any additional social networks that you're active on but aren't on this list. Look around in the privacy settings and tweak them as appropriate.
Bonus: Recognized Devices, Cookies, Keys
This is also a good opportunity to explore the "recognized logins" section of each platform. Even though old logins and expired keys are less likely to serve as a vector for an outsider,
it's a great opportunity to spot any suspicious logins or behavior.
- Active sessions: https://github.com/settings/security
- SSH keys that grant access to your account: https://github.com/settings/keys
- Email addresses on file: https://github.com/settings/emails
- General privacy settings: https://www.facebook.com/settings?tab=privacy
- Active logins: https://www.facebook.com/settings?tab=security§ion=sessions&view
- Privacy settings: https://twitter.com/settings/safety