Google will review web apps that want access to its users' data

Based on a new risk assessment process, some apps that want to use Google's identity services might need to undergo a review

In response to recent attacks where hackers abused Google's OAuth services to gain access to Gmail accounts, the company will review new web applications that request Google users' data.

To better enforce its policy regarding access to user data through its APIs (application programming interfaces), which states that apps should not mislead users when presenting themselves and their intentions, Google is making changes to the third-party app publishing process, its risk assessment systems and the consent page it displays to users.

Google is an identity provider, which means other web apps can use Google as the authentication mechanism for users accessing the app. Apps use the OAuth protocol to do this. These apps can also use Google's APIs to send users requests for information stored in Google's services.

Last week, a large number of users received a well-crafted phishing email that asked them to view a document in Google Docs. Clicking on the link redirected them to a Google OAuth consent page that said an application called Google Docs wanted access to their contacts and Gmail accounts.

The reason this spoofing attack worked is that there was no mechanism to prevent a third-party app registered to Google's OAuth service from using the same name as one of Google's own apps -- or the name of another legitimate third-party app.

Since the attack, Google has strengthened its risk assessment for new apps and made other changes to better detect such abuse. So app developers might see error messages when registering new applications or modifying existing ones in the Google API Console, Firebase Console, or Apps Script editor, the Google Identity Team said in a blog post.

On top of this, based on the results of the enhanced risk assessment, some web applications will need to undergo a manual review and approval process that could take from three to seven business days.

"Until the review is complete, users will not be able to approve the data permissions, and we will display an error message instead of the permissions consent page," the Google identity team said.

For now, developers will only be able to request a review during the application testing phase, but in the future, Google will also allow review requests during the registration phase.

Until the app is reviewed, developers will be able to continue testing their app using their own account, as well as to add additional testers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?