Pushbullet swears your data’s safe as it plans security upgrade


Pushbullet has acknowledged a major security concern with its popular Android app and promised to make improvements in future updates.

The company is working hard to implement the OAuth authorization framework to provide users with limited and revocable API keys that will make their data more secure — but it insists that your data is safe in the meantime just as long as you don’t share your existing key.

When I wrote a post about the latest Pushbullet update last week, and gushed about how much I loved using it, I was unaware of a security concern that was recently revealed by a third-party developer on Reddit. Before you rush off to uninstall the app, however, you should know that it isn’t as bad as it sounds.

“Recently, I noticed that Pushbullet released a new API which makes use of websockets, a new real-time communication methodology between you and the server,” explains thecodingdude. “Information is sent from the socket and back down to the client, which can then make use of any data it receives.”

In simple terms, here’s how it works. Every Pushbullet user is assigned an API key — you can find yours on your account page — which allows apps to connect to your Pushbullet “stream” and read the data flowing through it. That includes your text messages and email previews, URLs, and any files you send through the service.

If this API key falls into the wrong hands, then there’s a good chance your data will, too.

“I decided to get a friends key, put it in [to an app demo Pushbullet provides], and then see what I could access, and sure enough, as I was leaving him messages and as he was receiving messages, I was getting their content verbatim in close to real-time,” writes thecodingdude.

The biggest concern about Pushbullet is that its API keys never expire or update, so once you’ve been assigned one, it will remain the same for as long as you continue using the service. You cannot revoke your API key, either — the only way to untie yourself from it is to quit using the service and delete your account.

It’s important to remember, however, that as long as you don’t share your API key with anyone, your Pushbullet data should be safe. Even so, Pushbullet’s developers have conceded that there is a better way — and it’s coming soon.

“We’re already working on an OAuth system (like we use for IFTTT and Zapier) to generate limited and revocable keys (just like Google does) but this isn’t done yet,” Pushbullet co-founder Ryan Oldenburg announced on Reddit. “I built the feature we last launched (inter-device mirroring) and my co-founder who’s working on the back-end is hammering away on this.”

Oldenburg says OAuth authorization should be ready “very soon,” and that Pushbullet is working to make API keys revocable. He also emphasizes that “your API key isn’t out there for anyone to grab. It’s essentially your password so as long as you don’t share it, you’re secure.”

Keep an eye out for upcoming Pushbullet updates in Google Play, and in the meantime, be sure not to share your Pushbullet API key with anyone.