April 16, 2012
Update, April 19, 2012:
It seems that Google isn’t showing my user review on the app. At best, they’re holding it for human eyes to review since it was both a 1-star review and contained a URL back to this blog post. At worst, they mark those comments as spam so only the author of the comment can see it. Here’s a screenshot of my comment:
Update, November 2016
My review still isn’t showing up for anyone but me and this is really alarming. When I originally wrote this post in 2012, version 1.3.3 had been published on March 2, 2012. As of late 2016, it says 1.3.3 is still the latest version, but marks a publish date over a year later, April 22, 2013. I reinstalled the app and published notes to Google Drive and it STILL shares the document with email@example.com as the editor!!
At work, I’m the permanent scrum-master for my team, and was looking for tools that would help semi-automate the process, or at least provide a better way of taking notes to share with other teams than writing on a notepad and typing it up on my system afterward. Elmter Thomas was always much better at this sort of thing, using some tool that would generate nice notes based on markdown.
The App in Question
Scrum Master Assistant, on the surface, looks like a great tool. You can set up multiple kinds of meetings, add participants, add notes, new issues, it even has a timer so you can track who’s a chatterbox during scrum to keep things running quickly and smoothly. They’ve recently added a “publish to Google Docs” feature which makes a pretty neat spreadsheet. I figured I’d test it out before our actual scrum meeting and could NOT believe what I saw.
The Problem at Hand
In the settings, I had already told the app which Google account to use for publishing to Google Docs:
When you publish to Google Docs for the first time, the app prompts you for permission, which I would have expected:
A second prompt asked for access to Google Spreadsheets, which I also allowed.
Once published, I logged into Google Docs, and saw that the spreadsheet for my sample meeting, where I was the only attendee, had sharing permissions set to “only the people listed below” but to my horror saw that the app developer added THEMSELF as a shared person on the document. If that wasn’t bad enough, they added themselves as an EDITOR to the document:
I couldn’t believe that the developer would pull such a blatant move. I immediately [left feedback on Google Play](https://play.google.com/store/apps/details?id=com.ean.scrumtimer&reviewId=10165753931568085562 and uninstalled the app. Then I reinstalled it to grab screenshots.
When you install the app, it tells you about the following permissions:
- modify/delete USB storage
- take pictures and videos
- full internet access
- act as an account authenticator, use the authentication credentials of an account
- read contact data
- view network state
- discover known accounts
On the surface, those permissions seem fine, given the published list of features of the application. Namely, it would use your contacts to add people to meetings, it could take a picture of who was at the meeting, needs Internet access to publish notes online, and needs access to your Google account to push to Google Docs. I suppose it needed access to your USB data in order to save notes to your device.
Version 1.3.3 of the app, published March 2, 2012, says it fixed a few defects and removed unnecessary user permissions. As of version 1.3.1, it said it was no long ad-supported yet maintains a full name of “Scrum Master Assistant (adware)“, and added the Google Docs integration.
The Description of the app says this:
**** No Ads **** **** Publish reports to Google Docs (Beta) **** **** Adapted for tablets **** The application will help Scrum Masters at daily Scrums to gather impediments and help team members stay focused, restrict the meeting duration to 15 minutes. Every meeting is immediately followed by a scrum report with all the collected issues and meeting details to show who was too talkative. Features - Meeting duration timer and timer for every participant to keep everyone focused on agenda - Participant details, photo can be imported from Phone Contacts. Contacts can be synchronized with Google contacts - A photo can be also captured using a phone camera or taken from a picture gallery - Collected Action items, issues can be shared via Google Docs or sent as Excel report to e-mail Key words: Agile tool, Scrums, Daily Scrum, Standup, Scrum Master, Meetings, Meeting Notes, Meeting Minutes
There is NO notice anywhere within the app that tells you the app is going to share every document with the dev. There’s no disclosure of why they need access to USB storage.
How have no others users reported this yet??
My Review Text
Wtf, google docs get shared with app developer I can’t believe the app developer would blatantly share google docs with his account by default. What a horrible security hole! Users beware!!! See http://goo.gl/GTLoN for screenshots. How have 1,000-5,000 installed users not reported this?!