Google introduces new protections to prevent app-based account compromise

Google has implemented new protections that should considerably reduce the risk of potentially malicious apps gaining control of users’ Google account.

There can be no doubt that the added security is a direct consequence of the massive phishing attack in early May, which resulted in many, many users allowing the attacker’s (conveniently named) Google Doc app to access their accounts.

From now on, until a new app is verified by Google, users will have to jump through several hoops (a few clicks and typing the word “continue”) before they can grant that app access:

Google introduces new protections

Hopefully, that will make them more careful about which apps they use, and minimize the risk of their data being phished by attackers.

The change has the added bonus of helping developers test their apps more easily. “Since users can choose to acknowledge the ‘unverified app’ alert, developers can now test their applications without having to go through the OAuth client verification process first,” Google pointed out.

Apps Script, which helps developers automate tasks across Google products and third party services, will also get the same protections.

“Beginning this week, new Apps Scripts requesting OAuth access to data from consumers or from users in other domains may also see the ‘unverified app’ screen,” the company explained, and added that users “will see new cautionary language reminding them to ‘consider whether you trust’ an application before granting OAuth access, as well as a banner identifying web pages and forms created by other users.”

And finally, in the coming months, the verification process and the new warnings will be extended to some existing apps and scripts.

Since the aforementioned attack, Google has introduced several new security features and improvement of existing ones for protecting Gmail users against phishing emails, as well as OAuth apps whitelisting, which allows corporate administrators to select which third-party apps are allowed to access users’ G Suite (corporate) data.