Security researchers have tested nearly 1,000 enterprise apps offered on Google’s G Suite Marketplace and discovered that many ask for permission to access to user data via Google APIs as well as to communicate with (sometimes undisclosed) external services.
“The request to ‘Connect to an external service’ is notable, as it indicates apps can communicate with other online APIs that neither Google nor the app developer might not control,” they pointed out.
They also noted that the app authorization prompt only discloses if an app can connect to external services, but does not name these external services not does it explain what the app is using those APIs.
“While some developers do elaborate on this in their apps’ Marketplace listings or external privacy policies, a cursory spot check on a selection of these 481 apps shows this is not always the case,” they added, meaning that users often don’t know what other services might receive their private user information.
About the G Suite Marketplace
The G Suite Marketplace is an online “app store” from which enterprise applications that are integrated with G Suite can be added to an entire domain or to individual G Suite accounts.
Applications installed from the Marketplace can be launched directly from within the various G Suite products (Gmail, Drive, Docs, etc.).
Both end users and G Suite administrators can discover and install new apps from the Marketplace. The latter can find, install, and authorize apps for some or all of their users via the G Suite Admin console.
“In order to curb potential abuse of users’ private data, Google’s policy requires app developers to submit their products for review if they call API functions that ‘allow access to Google User Data’. This review takes 3 to 5 days for apps that use ‘sensitive’ API calls, or 4 to 8 weeks for apps that use the subset of ‘restricted’ API calls specifically concerning Gmail or Google Drive data,” the researchers additionally noted.
So, this unverified status can last for a while and, in the meantime, Google ostensibly prevents more than a 100 users from installing the app (while warning them to install it only if they know and trust the developer).
This use limit is also not strictly enforced, researchers Irwin Reyes and Michael Lack with Two Six Labs found.
“One of these still-unverified apps drew our attention in particular: ezShared Contacts. This app gained over 1,000 users between the two times when we scraped the Marketplace. Among its disclosed authorizations are ‘Read, compose, send, and permanently delete all your email from Gmail,’ ‘See, edit, download, and permanently delete your contacts,’ and ‘Connect to an external service.'”
Although Google performs the aforementioned review and although it offers app developers the option to receive a trust-inducing badge on their G Suite Marketplace listing once they passed a security assessment by a third-party security firm (see image above), users should keep in mind that Google does not accept responsibility for any compromise or loss of data that may result from them using a G Suite Marketplace app, so they should evaluate the potential risks themselves after reviewing the app’s permissions request shown when they want to install the app.
Google could make that decision easier by providing information about the external services that might have indirect access to users’ sensitive Google account data if they give the asked-for permissions.
Also, the researchers noted, Google might consider showing the permissions request when the apps are first run or specific functionalities are used for the first time (instead of when they are installed), as users are more likely to understand them and make a personally favorable decision at that time.
UPDATE (June 5, 2020, 1:32 a.m. PT):
“We have a rigorous process of verification for every application that is submitted to the G Suite Marketplace, and we continue to work with our developers to ensure compliance with our policies. The conclusions in this report do not accurately reflect the stringent third-party data access and privacy protections we have in place to protect our users. For our G Suite customers, we provide admins full visibility and comprehensive controls to manage app access,” a Google spokesperson told Help Net Security.
The company also noted that the researchers completed their analysis in January 2020 during a period when enforcements had not yet been enabled so that apps that are in-process of completing security assessment could be completed.
“Since then, the apps referenced in the report have either been approved or were limited in accepting additional users. Additionally, the privacy restrictions referenced in this report only apply to consumer accounts. G Suite administrators have the ability to control access to their user’s applications,” they added.