iOS 17.5.1
JJ's House for iOS (version 5.6.1)
07/06/2024
Description:
For years now I have looked at Google OAuth consent screens, spotted problems, and then promptly forgot about them. No more! From now on, if I spot a problem with the Google OAuth consent screen that is used by an iOS app, I will document it. Maybe I will even start a whole new blog.
First up: the Google OAuth consent screen used by an app called JJ's House for the iPhone. Let's take a look at what this looks like:
Shouldn't look like this!
Curiously the Google OAuth consent screen that the user is taken to via the app (which you can access here) is not the same as the OAuth consent screen that the user is taken to when accessed via web. You can access the web consent screen here.
This obviously is a problem, and the end user experience for the user using the iOS app is poor. This appears to go against
Google's own rules.
I feel motivated to report these, and I will endeavor to write them down when I spot them.
Steps to Reproduce:
2. Select "Sign in / Register"
3. Select the Google logo
4. From the ""JJsHouse" wants to Use Google" prompt, select "continue"
5. From the consent screen, note that the app's name isn't listed (instead says "project-804447566408")
6. Click on "project-804447566408"
7. Note less than informative contact email (email address seemingly unrelated to app)
Result: When accessed via the iOS app, the Google OAuth consent screen for JJ's House is missing the name of the app. The app name is represented as: "project-804447566408"
Expected: When access via the iOS, the Google OAuth consent screen for JJ's House should display the correct name of the app - not "project-804447566408"
Down the JJ's House app for iOS and select the Google logo...
Select "Continue" from the prompt...
The Google OAuth consent screen does NOT list the name of the app. This only happens when accessed via the iOS app. This does not happen on web...
Email contact under "Developer Info" - the email address appears to have no connection to the app. As an end user, am I supposed to trust this address?