Google Improves Protections Against Unverified Web Apps

Users of G Suite applications will now receive a warning any time they attempt to interact with a new or unverified web application. 

Users of Gmail, Docs and other Google G Suite applications will now receive stronger warnings than before when they attempt to interact with new web applications.

Google this week rolled out a new "unverified app" screen for web applications and application scripts that the company has not yet had a chance to verify. The warning screen will appear before the permissions consent screen for the application so users have an opportunity to determine whether to trust the application or not.

The unverified app screen replaces the "error" message that G Suite users received up to now when they attempted to use web applications that requested permission to access Google user data.

The move is designed to better protect G Suite users against phishing attacks of the sort that involved a fake Google Docs invite earlier this year. In that attack, phishers used the spoofed Google Docs email invitation to get users to grant permission to a third-party web application that then accessed the user's contacts and sent the same spurious invitation out to them as well.

The new app warning will inform users about the potential risks to their personal data posed by such unverified new apps and require them to type in the word "continue" before granting them access to the application.
The warning screen builds on the protections that Google has introduced in recent months to inform users about new web applications and app scripts, said Naveen Agarwal, a member of Google's identity team, and Wesley Chun, developer advocate of G Suite, in a blog.

For example, after the Google Docs phishing attack in May this year the company updated its processes for developers to register new applications or updates to existing ones. The company also updated its risk assessment mechanisms for web applications requiring access to Google user data. The updates include provisions for manual review of new web applications in certain cases.

Earlier this month, Google also introduced a new OAuth apps whitelisting feature that gives administrators better control over how third party applications access and use Google user data. The feature lets G Suite administrators select, or whitelist, the specific web apps that are allowed access to G Suite data while blocking access by other apps.

"In the coming months, we will begin expanding the verification process and the new warnings to existing apps as well," said Agarwal and Chun. In some cases, developers of existing applications will have to go through a new app verification process in order for the warning screen to be removed, they said.

In addition to helping better protect users, the new app warning screen will help application developers as well they noted. Because users have the ability to acknowledge the new app alert and grant permission to an application, developers will have an opportunity to test a new application before Google has an opportunity to formally verify it.

Credit: eWeek

No comments:

Powered by Blogger.