Addon Notice Tapatalk

I will be installing Tapatalk soon. I am going to hold off until the DNS settings have propagated fully and the site is working normally via the URL, and I also need to test a few things out.

Tapatalk recently updated their addon, and things went haywire. They don't have a very good track record of testing things after they make changes. So I'm going to be testing out the latest version on my site first to make sure it's working properly.

In the meantime, mobile users will need to go to the site via browser. I think you'll find that Xenforo works pretty well on mobile

 

Posted from Tapatalk!

Tapatalk users need to delete GIRS from your mobile device, then search for "GIRS" or "Girs". For some reason, searching for "Greater Iowa reef society" didn't find it. Maybe I didn't wait long enough after adding it. Whatever, it works

 

I just learned that Tapatalk, the shoddily written addon as it is, has now been shown to be sending password over the interwebz at a level of encryption that "a novice hacker" could exploit.

https://support.tapatalk.com/threads/tapatalk-sends-unencrypted-passwords-over-the-web.31541/

My recommendation at this point is that if you use Tapatalk, make sure that your password is unique enough that one wouldn't be able to use it to guess your password on another site that you really care about, like your bank account, credit card, etc.

I personally use a random password filled with special characters, a different one for everything.

This security hole is kind of the tipping point for me. They might as well be sending clear-text passwords, it is apparently so easy to decrypt them.

I don't think many people on here use tapatalk (as of right now, 38 users) and since XF has a good mobile interface, I'm very seriously considering removing it.

 

As it turns out this is actually not an issue that is unique to Tapatalk. Just about any website that requires a password or any other type of personal information will send this information in clear text or at best weakly encrypted.

The solution is to use an SSL certificate and force HTTPS. Which I have done here, as well as any other site I've ran for quite a while. This results in only encrypted information passing between the user and the server hosting the site. So this isn't as big of a deal as it was made out to me, and not specific to Tapatalk. Which kind of irks me that this guy brought it up this way on TAZ

https://theadminzone.com/threads/tapatalk-sends-unencrypted-passwords-over-the-web.135833/

However, Tapatalk does (apparently) store unencrypted passwords on the user's mobile device. So while the transmission of that password is encrypted, the password itself on the device may not be. So this means that if someone steals your phone, they might easily be able to obtain all your passwords depending on how they were stored by the individual app.

I inquired as to how difficult this is to implement (encrypted passwords) and how common it is, because I'm curious now about all my passwords on my phone!

So at the moment, it appears that Tapatalk will stick around but I'm watching this one pretty closely just to make sure. I find it useful as well, but the developers do not have a very good history of good coding practice.

 

@mrelaz