What permissions do Marketplace apps get?


#1

If I use a Marketplace app, for example Flux, what permissions to my account does it get? Does it get full permission to see my whole transaction history? With all notes, tags & attachments? All payees? Will I be asked before an app gets access to that, or does it have access as soon as I press “ADD” in the Marketplace?
For example, the Flux description only says “…will match […] through your transaction data” (so they presumably have access to my whole transaction data?), and “Please make sure you’re comfortable with our T&C & Privacy Policy […]”.
Flux is just an example, I am worried about this in general. How fine-grained are the permissions and at what point does an app get access?


#2

It actually depends on the access a particular company has been approved by Starling to have. There are various levels of access Starling can grant, some levels only give basic account access, other levels can give balance, transactions and so on.

Starling approve each app separately, and don’t just give access to a company unless they have gone through thorough checks first.

So there is no simple answer to your question.


#3

Hi Mike,

You can tap Marketplace / more options Elipsis button in the top right corner / manage providers / pick a provider and then you can see all the access rights listed for them.


#4

@Kris: Hi! So I did that but that list is empty. That probably means I need to “ADD” the app first, before I can then check the permission that it’s got. This is very problematic. A user needs to see the permissions that an app will get before adding it. What if I add it and then go to “manage providers” and check what permission it’s got - at that point, the app presumably already has or had access to my account?

It’s of course good to hear that Starling carefully (hopefully?) checks these apps. But do they also check what these companies then do with the data? I.e. that Flux only uses it to match transactions and then deletes or not further stores the data or doesn’t use it for any other purpose? Presumably they can’t check that.


#5

Megan has gone into detail around permissions for Marketplace partners. Have a quick search and hopefully something will come up.


#6

https://www.starlingbank.com/blog/marketplace-financial-products/

It was explained by Megan the Chief Platform Officer all about Marketplace and how they give permissions.

Cecilia also explained a bit about due diligence.


#7

When I tried to install Flux they basically wanted access to my whole account and all my data so I didn’t sign up.

I’m of the opinion that flux asks for way more access than is needed and opted not to complete sign up


#8

@Joe_Merriman I presumably found Megan (https://community.starlingbank.com/u/Megan_Caywood/summary) but couldn’t find any relevant posts of her.

@daedal That blog post also literally does not talk at all about app permissions in the market place (or am I blind? Please tell me if I am :slight_smile: ).

My two points from above still stand and I think they’re very important - particularly being able to see permissions that you give BEFORE clicking “ADD”. I am not clicking “Add” before I know what I am getting into.

I totally share @thefifthrace’s concern and his message actually concerns me even more, it doesn’t sound like Starling restricts permissions as much as they could.


#9

@Megan_Caywood when you have a chance, if you could jump on this thread and give a bit of info regarding permissions and @mike2 has raised a couple of points :slight_smile:


#10

Maybe this reply might explain a bit more


#11

@daedal This is interesting, but I believe you can only go to that screen once you have already added an app and already given it all the permissions.


#12

When you click add it tells you the permissions you are giving to the app. So you can choose to go ahead or not.


#13

That’s great to know, but I’d like to know that before I click an “Add” button. Who knows before clicking “Add” if there will be a confirmation dialog or if it will go straight to installing the app and allowing it to read all my data? You do not know. But you need to know. Otherwise I’m not clicking. I’m not clicking “Add” without knowing what it’ll do and if there will be another confirmation dialog before it gives access to all my personal banking data.


#14

You get an opportunity to review the permissions being granted to the third party app before you click “approve” or “deny”. Clicking “add” itself just takes you to the below screen:


The way that the OAuth integration works, is that the third party gets granted an access token which can be used to call the Starling API for your account - but only when you click “approve”.

“Deny” takes you safely back to Starling if you aren’t comfortable with what you see.

It’s also worth noting that under the new GDPR regulations, companies must only use your data for the purposes expressly set out in their privacy policy, and must grant you the rights to delete your data (provided that they don’t need to keep it for legal, regulatory reasons, or if they can demonstrate legitimate interest). Caveat: not a GDPR expert.


#15

This is what Tails asks for. My concern here is that to get to this information I had to:

  1. click tails on the market place
  2. download the tails app
  3. create a tails account
  4. then go back to starling and click on the app again in the market place

All of this just to discover it’s asking for more information that I think they need and that I’m prepared to trade for some special offers.

I’m not trying to be negative, I’m a huge fan of what Starling are doing but more upfront transparency from all parties is required here.


#16

The tails app is a killer. My phone notified me that they were draining my battery.

I uninstalled it, but still remained linked.

I have now disallowed access to all of it, but still… I’m not a fan!


#17

I so much agree to what @thefifthrace wrote!
Starling is awesome but it really seems like in this case Starling didn’t learn anything from the Facebook app “data sharing desaster”. You really have to do better nowadays. Even Google managed to get permissions more or less right in Android 7/8+… took them years…

You gotta be

  1. Very up-front about permissions, before you have to install or sign up to anything or click ANY “Add” button (which might potentially perform an un-doable data sharing action!)
  2. You have to have some granularity for permissions and be very strict, read very strict about permissions as “manager” of the Marketplace, and only give apps the minimum needed permissions, and not a tiny bit more. No blanket access or anything like that.