Google will review web apps that want access to its users' data

Based on a new risk assessment process, some apps that want to use Google's identity services might need to undergo a review

In response to recent attacks where hackers abused Google's OAuth services to gain access to Gmail accounts, the company will review new web applications that request Google users' data.

To better enforce its policy regarding access to user data through its APIs (application programming interfaces), which states that apps should not mislead users when presenting themselves and their intentions, Google is making changes to the third-party app publishing process, its risk assessment systems and the consent page it displays to users.

Google is an identity provider, which means other web apps can use Google as the authentication mechanism for users accessing the app. Apps use the OAuth protocol to do this. These apps can also use Google's APIs to send users requests for information stored in Google's services.

Last week, a large number of users received a well-crafted phishing email that asked them to view a document in Google Docs. Clicking on the link redirected them to a Google OAuth consent page that said an application called Google Docs wanted access to their contacts and Gmail accounts.

The reason this spoofing attack worked is that there was no mechanism to prevent a third-party app registered to Google's OAuth service from using the same name as one of Google's own apps -- or the name of another legitimate third-party app.

Since the attack, Google has strengthened its risk assessment for new apps and made other changes to better detect such abuse. So app developers might see error messages when registering new applications or modifying existing ones in the Google API Console, Firebase Console, or Apps Script editor, the Google Identity Team said in a blog post.

On top of this, based on the results of the enhanced risk assessment, some web applications will need to undergo a manual review and approval process that could take from three to seven business days.

"Until the review is complete, users will not be able to approve the data permissions, and we will display an error message instead of the permissions consent page," the Google identity team said.

For now, developers will only be able to request a review during the application testing phase, but in the future, Google will also allow review requests during the registration phase.

Until the app is reviewed, developers will be able to continue testing their app using their own account, as well as to add additional testers.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Mobile

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Exec

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?