Skip to main content

Google Intros Unverified App Warnings To Make Up For OAuth's Flaws

Google announced that it will soon warn users when unverified apps request access to their accounts. This change, like other improvements the company has made in recent months, is likely a continued response to the mass phishing attack that affected roughly 1 million people in May.

That attack involved a malicious app disguised as Google Docs. It worked something like this: People received emails claiming they could edit a Google Doc, and when they clicked a link, they were taken to a dummy app that requested access to their Google accounts. Google Docs wouldn't request that access--all that information is staying in the Google family--but that didn't stop people from offering access to their data.

Google quickly responded with a blog post and several tweets outlining its many security features. Later that month, the company introduced new protections to stymie phishing attacks, prevent malware from spreading via attachments, and warn you when you visit malicious websites. Now it's announcing several features designed to make it easier to tell if a given app has been verified.

The first addition is a new screen warning you whenever unverified apps request access to your account. This appears before the screen letting you know what permissions the app is requesting, which means you'll have the chance to back out before you give up that access. That way you won't give an unverified app the ability to manage your email, for example, only to be told a second later that the app is unverified. That would be silly.

The second change brings those verification warnings to Apps Script, which allows developers to make add-ons for Googles services like Docs and Sheets. Google will also use more cautionary language that asks you to "consider whether you trust" a certain app or add-on before you offer up access to your account. Apps Script tools will also feature a banner informing you that they were made by Average Joes, not someone at Google.

The final announcement involved existing apps. Google isn't just subjecting newbies to more scrutiny--it will do the same for established apps by requiring "developers of some current apps" to go through the verification process. (The company didn't say how it will decide which developers have to go through this process.) All of these changes, Google said, are supposed to help make sure people have control over their accounts:

We’re committed to fostering a healthy ecosystem for both users and developers. These new notices will inform users automatically if they may be at risk, enabling them to make informed decisions to keep their information safe, and will make it easier to test and develop apps for developers.

The first two features announced today--the verification warning screen and changes to Apps Script--are rolling out now. Google said the expansion of the verification process to existing apps will start in "the coming months."

  • hannibal
    User friendly... remains to be seeing. Safer... sure!
    Reply
  • gradin
    I'm a developer of a startup that's using the oauth API's and I fully support this roll out effort, my only complaint is the amount of time it's taken to approve changes to the verification forms, 2-8 days is a long time for a developer to get approval to release a feature dependant on these services
    Reply