Google has moved to bolster the security of its G Suite productivity apps with new warnings over “unverified” third-party apps. The new procedure is in response to a recent phishing scam involving a bogus Google Docs link being distributed via email.
In a blog post, Naveen Agarwal, a member of Google's Identity team, and Wesley Chun, developer advocate for G Suite, said that Google was rolling out an 'unverified app' screen for newly created web applications and Apps Scripts that require verification.
"This new screen replaces the 'error' page that developers and users of unverified web apps receive today,” they said.
This new “unverified app” screen comes before the permissions consent screen for the app and lets potential users know that the app has yet to be verified. This will help reduce the risk of user data being phished by bad actors, Google claimed.
According to Google, the new notice will also help developers test their apps more easily.
“Since users can choose to acknowledge the ‘unverified app' alert, developers can now test their applications without having to go through the OAuth client verification process first,” said Agrawal and Chun.
Google is also extending these protections to Apps Script. As of last week, Apps Scripts requesting OAuth access to data from consumers or from users in other domains may also see the "unverified app" screen.
“Apps Script is proactively protecting users from abusive apps in other ways as well. Users will see new cautionary language reminding them to ‘consider whether you trust' an application before granting OAuth access, as well as a banner identifying web pages and forms created by other users,” said Agrawal and Chun.
Google said it will extend the verification process beyond newly created apps, to existing apps as well. As a part of this expansion, developers of some current apps may be required to go through the verification flow, according to the blog post.
Agrawal and Chun said that it was recommended that developers verify that their contact information is up-to-date. “In the Google Cloud Console, developers should ensure that the appropriate and monitored accounts are granted either the project owner or billing account admin IAM role,” they said. “In the API manager, developers should ensure that their OAuth consent screen configuration is accurate and up-to-date.”
Graeme Park, senior consultant at Mason Advisory, told SC Media UK that Google has taken substantial steps since the phishing attacks last year that targeted Google Docs users – with such a huge enterprise to consider and their position at the vanguard of the new technologies, there are bound to be security issues throughout their architecture.
“From a technical viewpoint they have certainly made headway. However, the user is still one of the key issues in this form of attack. I would like to see Google using its brand, market penetration and analytics to address the human component via some form of intuitively designed and delivered training system integrated into their online offering,” he said.
John Bambenek, threat intelligence manager at Fidelis Cybersecurity, told SC that the core difficulty with outsourcing core infrastructure to G Suite, O365, AWS, etc, is the limitations for central management.
“Google creating application whitelisting is a great step to fix this issue where admins can control specifically which applications can be used. However, it is not a fundamental game changer,” he said.
“One of the reasons that Apple's iOS is such a secure platform is that applications only have defined ways they can interact with other applications, where Google's approach has been much more open. It's chief advantage is also its largest security issue,” he added.
“Pop-up warnings about verification or when sending e-mails to external parties help mitigate this disadvantage, but as we've seen with self-signed SSL/TLS certificates, most users will ignore warnings and plunge headlong into becoming victims. Unless these features are paired with effective security awareness training on what these changes mean to users, it is unlikely they will have much of an effect.”