Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We do still have to trust you though right njhaveri? If I understand it correctly this is a closed source app with unlimited access to GMail.

How can users be sure that it doesn't do stuff that you say it doesn't or that you are who you say you are, considering "Mimestream LLC" only has an email address and your HN profile has only ever posted about this one app?

Hope that's not too aggressive :) legitimately curious if this is something that you've thought about or if you are planning on gaining reputation over time to the point where people will click through the scary "This app can delete all of your gmails" warning.



This is a very fair concern, and I sympathize with it a lot. I have thought about this a fair bit, and thought about eventually turning this into a "source-available" model (but not yet, I'd at least like to be fully launched on both App Stores first and have some user-base). There are pros and cons to that. At the end of the day, if you install an app from the App Store, you place trust in the developer. App Store Review only goes so far (e.g. look at Epic sneaking in an alternate payment system). Even if I made source available, the typical user has no guarantee that it matches the binary they're installing from the App Store.

I've also thought about starting with an OAuth scope that allows all operations except permanently deleting email, and asking the user to re-authenticate and upgrade their scope the first time they try to permanently delete something. This is a little awkward from the user experience, though. Maybe burying this as a fallback mechanism during the onboarding flow is an option.

General reputation-building is probably the right place to start.


How does Mimestream work in terms of MFA? Im not familiar with how Goolge OAuth handles it, but if I granted access to Mimestream app from one machine, can the same grant be used from another(i.e. bad actor's server)?


Thanks :)


I notice that many, many software + service / SaaS are like that.

"Sign up to our cool thing and see how well it works with all the PII you put in it. We are closed source, do not present our company, our team, or how we intend to earn money. No privacy policy too, but hey.. we do have a nice email"

/endrant

This really surprises me. I'd never try these out. Should be so easy to just be a bit more open.

In this case at least the founder announces himself, which is a good start.


It's a valid question, though I suspect that trust in a paid, MacOS-AppStore environment fundamentally works differently to the open source world.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: