Google Tightens Rules Around App Permissions
10.10.2018 securityweek
Incindent

Google this week announced improved user control over data shared with apps, redesigned app permissions, and diminished app access to sensitive information such as contacts, SMS, and phone.

The changes, the search giant says, are being rolled out as part of Project Strobe, which represents an overall review of third-party developer access to Google account and Android device data. The idea was to have a look at privacy controls, data privacy concerns, and the access developers enjoy, and make adjustments where necessary.

The first and most important change resulting from Project Strobe is the shutdown of Google+ for consumers in August 2019. It is not surprising, given the low usage and engagement the social platform sees at the moment, with 90% of Google+ user sessions lasting less than five seconds.

While reviewing Google+ APIs, Google discovered a bug in one of the APIs, where apps would gain access to user’s profile fields that were not made public.

Such data includes optional Google+ Profile fields such as name, email address, occupation, gender and age, but does not include Google+ posts, messages, Google account data, phone numbers, or G Suite content. The flawed API was apparently used by up to 438 applications and the bug was fixed in March.

“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected,” Google says.

The company also claims that it has no evidence of developers being aware of the security flaw in said API. There is no evidence of profile data being misused either, the Internet giant notes.

“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+,” Google points out.

Another result of Project Strobe is the rolling-out of an improvement to Google’s API infrastructure, which starts with separately showing each and every permission that an app requests. Basically, each permission will get its own dialogue, so that users can allow or deny them individually.

Thus, developers are advised to review the Google API Services: User Data Policy, check the permissions the user has granted to their apps, request permissions only when they are needed, and provide justification before asking for access.

The changes, Google reveals, will start rolling out this month and will get extended to existing clients at the beginning of 2019. The Internet giant expects the move to increase transparency and trust in its app ecosystem.

Google is also updating its User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access consumer Gmail data. Thus, only email clients, email backup services, and productivity services will be authorized to access this data.

These apps will also need to agree to new rules on handling Gmail data and will also be subject to security assessments, the company says. Set to go into effect on January 9, 2019, the new policies target how data must not be used, how it should be secured, and what data can be accessed.

“All apps accessing the Covered Gmail APIs will be required to submit an application review starting on January 9, 2019. If a review is not submitted by February 15, 2019, then new grants from Google consumer accounts will be disabled after February 22, 2019 and any existing grants will be revoked after March 31, 2019,” Google says.

The search giant is also limiting apps’ ability to receive call log and SMS permissions on Android devices, so that only the apps that have been set as the default apps for making calls or text messages could make these requests. Furthermore, contact interaction data is no longer available via the Android Contacts API, the company explains.

“Our goal is to support a wide range of useful apps, while ensuring that everyone is confident that their data is secure. By giving developers more explicit rules of the road, and helping users control your data, we can ensure that we keep doing just that,” Google concludes.