"iWard" iPhone App
-
- New Member
- Posts: 2
- Joined: Tue Sep 29, 2009 3:53 pm
- Location: Highlands Ranch, Colorado, USA
-
- New Member
- Posts: 1
- Joined: Thu Dec 17, 2009 4:45 pm
- Location: San Diego, CA, USA
iStake-like app for the Blackberry?
Has anyone heard anything about (or created one) an iStake-type application for the Blackberry? This would be very useful. Many thanks!
-
- New Member
- Posts: 1
- Joined: Wed Sep 24, 2008 11:18 pm
- Location: Canada
-
- Senior Member
- Posts: 1345
- Joined: Wed Jun 11, 2008 9:52 pm
- Location: Austin TX
- Contact:
Is iWard processing on Third Party servers?
My impression from reading this thread and related threads here about the iWard and iStake apps has always been that these apps merely connected the user's device directly to LUWS as a browser-client and downloaded the directory data to the handheld.
Now I am not at all sure that is the case. I have seen a reportthat iWard connects to the vendor's own servers, which in turn connect to LUWS using the user's logon credentials. I have just sent the vendor, Avikey, an email inquiring about this. Does anyone have detailed knowledge about this one way or another?
Now I am not at all sure that is the case. I have seen a reportthat iWard connects to the vendor's own servers, which in turn connect to LUWS using the user's logon credentials. I have just sent the vendor, Avikey, an email inquiring about this. Does anyone have detailed knowledge about this one way or another?
-
- Senior Member
- Posts: 1345
- Joined: Wed Jun 11, 2008 9:52 pm
- Location: Austin TX
- Contact:
boomerbubba wrote:I have just sent the vendor, Avikey, an email inquiring about this. Does anyone have detailed knowledge about this one way or another?
It turns out that the vendor's server is in the processing loop. The reply from Avikey to me said:
Yes.. the parsing rules for the device are delivered using our server.
That way, if the church substantially changes the layout of LDS.org,
we can adjust the parsing rules remotely that are used by your device.
So in this sense, yes, the app doe require the use of a third party
server to work. If that server is missing, the app will fall back on a
default set of parsing rules.
-
- Member
- Posts: 86
- Joined: Fri Jan 19, 2007 3:29 pm
- Location: Salt Lake City, UT
That is my understanding as well. You actually send your user credentials to Avikey and they use them to access your unit website.boomerbubba wrote:My impression from reading this thread and related threads here about the iWard and iStake apps has always been that these apps merely connected the user's device directly to LUWS as a browser-client and downloaded the directory data to the handheld.
Now I am not at all sure that is the case. I have seen a reportthat iWard connects to the vendor's own servers, which in turn connect to LUWS using the user's logon credentials. I have just sent the vendor, Avikey, an email inquiring about this. Does anyone have detailed knowledge about this one way or another?
-
- New Member
- Posts: 2
- Joined: Mon Jan 04, 2010 8:18 am
- Location: USA
Reading the linked discussion on google groups and this thread gives me the heeby-jeebies. When i consider all the special instructions i was given as a membership clerk to sanitize our ward directory of various sisters' names and contact information due to stalking problems, that these apps are used by leaders and not strictly forbidden by policy is shocking.
One would hope that the membership information in the ward web page would be clear of such information already (thing which i have not tried to verify), but regardless of that, it just seems irresponsible to carry around such a comprehensive set of information about members on a computer without any security arrangements. The only way i could see such an app being acceptable is if it
One would hope that the membership information in the ward web page would be clear of such information already (thing which i have not tried to verify), but regardless of that, it just seems irresponsible to carry around such a comprehensive set of information about members on a computer without any security arrangements. The only way i could see such an app being acceptable is if it
- used an official church-provided tool to download the data securely, using the user's login via interactive prompt
- said tool encrypts this local data archive according to a user-provided password
- each invocation of an app that accesses the data requires a password that should not be saved in the app (this is IMO the only appropriate place to allow trust that an app developer will follow policy)
-
- Senior Member
- Posts: 1345
- Joined: Wed Jun 11, 2008 9:52 pm
- Location: Austin TX
- Contact:
Look at the new MyWard / MyStakeapp instead
lakeytw wrote:That is my understanding as well. You actually send your user credentials to Avikey and they use them to access your unit website.
I have recently heard about a new and different iPhone app called MyWard, which has functionality similar to iWard/iStake but apparently without the issues raised about the latter.
(Note: This may be confusing, because there already is a very different product also called "MyWard,"which uses MLS data and has nothing to do with this matter.)
In any case, I have been assured by the developers of the new MyWard app that it does make its secure connection directly to lds.org from the user's device. And I have been told of independent testing that confirms this empirically: Traces of the SSL connection go from the phone to lds.org.
As for Avikey, the iWard developer, I sent them a followup message last night asking specifically if their server connects to lds.org, rather than the iPhone client. I have received no reply, and the empirical tests results I have seen seem to show that the iPhone connects only to Avikey's domain.
Frankly, at this point, I feel like I have been misled about Avikey's products, and I feel bad that I have recommended them to users. I now see that a strict reading of Avikey's website can be parsed to encompass what the real architecture is. But that is certainly not the impression that I had before from reading that site or reviews in the LDS community.
So I would recommend against iWard/iStake, and suggest that users investigate MyWard from truestarapps.com instead. (Just to clarify, the app is called MyWard but it apparently also includes the stake functionality.)
-
- Community Moderators
- Posts: 11479
- Joined: Mon Mar 17, 2008 10:27 pm
- Location: US
The Church IT department cares very deeply about this. Yes, these are very changing times. And it does take some time to get policy decisions through a large organization.Flandry wrote:Reading the linked discussion on google groups and this thread gives me the heeby-jeebies. When i consider all the special instructions i was given as a membership clerk . . .
Is this member data security nightmare just a temporary artifact of the time it takes to get policy decisions through a large organization, or does the church IT dept. really not care about this?
However, the policy is actually in place, and this particular very large organization is not in the business of providing detailed day to day instructions on living our lives. The Church teaches principles, and then we do as Joseph said.
There are policies in place relating to the use third party servers, and leaders have very specific instructions about securing any information that comes out of MLS and goes onto their personal devices, including passwording, protecting, using only for callings, and removing it when they are released. You have outlined some of them in your post.
The challenge I see is that there are many who seek convenience over the care that should be given to protect membership information. The current policy, as I understand it, points to protection before convenience.
And that inconveniences some who do not wish to be inconvenienced in that manner.
The Israelites had the same problem when Moses led them out of Egypt. We just have different toys today. [grin]
-
- Senior Member
- Posts: 1345
- Joined: Wed Jun 11, 2008 9:52 pm
- Location: Austin TX
- Contact:
lajackson wrote:There are policies in place relating to the use third party servers, and leaders have very specific instructions about securing any information that comes out of MLS and goes onto their personal devices, including passwording, protecting, using only for callings, and removing it when they are released. You have outlined some of them in your post.
The particular case of iWard/iStake is not necessarily a matter of knowingly choosing to disregard policy. And it does not affect only leaders, but also rank-and-file members. The immediate information in question is not MLS content, but LUWS content -- plus two very significant pieces of data: the LDS Account username and password of the user. That notwithstanding the fact that the LDS Account Conditions of Use say (emphasis in original):
I rather suspect that most users of this product are not even aware of how it really functions. I was not until about 24 hours ago, and I am probably better informed than most non-technical members. The very cleverly worded PR of the site obscures these facts, IMHO, if only by omission and ambiguity. A user might be forgiven for thinking that he is connecting to secure.lds.org via a single, end-to-end SSL connection to his own device, just like he might do with an online banking client or browser. The website says:
You may not share your LDS Account password with anyone.
Note the "s" in "connections."All of the data exchanged between your device and LDS.org is done over encrypted SSL connections and we don't store or view any of your information our servers (or anyone else's servers, for that matter).
(I actually have never used the product because I don't happen to be an iHead. But if I owned an iPhone I probably would have done so in ignorance of the technical facts. While misunderstanding these facts, I have referred other users to the app. Actually, it was while doing so in another forum last night that I learned what I wish I had known earlier.)
Of course, compromising LDS Account credentials is more serious for leaders, because their credentials can potentially connect them to other things that rank-and-file members cannot. And I know from anecdotal comments in this forum and elsewhere that many stake leaders use iStake.
I am not accusing the operators of iWard/iStake of doing anything malicious with anyone's credentials. But I think I would be violating policy to use the product. Knowing what I know now, I certainly would be violating common sense. The architecture is inherently insecure.