Google G Suite spotted erecting stiff member vetting tool
App verification signage aims to give phishing the finger
Stung by phishing attacks aimed at G Suite users earlier this year, Google has armored its cloud with extra security layers.
Following recent defenses against the dark arts – security key enforcement, app name vetting, and OAuth whitelisting – the Chocolate Factory has designed some interface signage to warn G Suite users not to accept web apps and Apps Scripts too hastily.
"Beginning today, we're rolling out an 'unverified app' screen for newly created web applications and Apps Scripts that require verification," said Naveen Agarwal, a member of Google's Identity team, and Wesley Chun, developer advocate for G Suite, in a blog post. "This new screen replaces the 'error' page that developers and users of unverified web apps receive today."
The "unverified app" screen gets presented before the screen seeking permission to grant a web app access to G Suite data, in order to underscore the risk of consenting to use an app of uncertain provenance. Users may still accept such apps – a flow that requires three affirmative clicks and typing "continue" – but at least they will have been warned.
The "unverified app" screen also helps developers by allowing them to test apps without first going through OAuth verification, a requirement implemented previously in response to abuses.
Apps Script code (by which Google's apps may be automated) that seeks OAuth access to data or information about users in other domains must also wear the "unverified app" scarlet letter. And Google is presenting additional cautionary language that's been added to the pre-OAuth alert and below the URL window to encourage G Suite users to think before trusting applications and scripts.
It's about time. Those interested in app security have been talking about potential Apps Script problems at least since 2014. In February, security engineer Greg Carson posted PoC code to demonstrate how the technology can be abused.
The latest protections apply to newly created web apps and Apps Scripts. In the coming months, Google intends to extend them to existing applications and scripts. This may require developers to revisit the Google Cloud Console to go through the verification process. ®
PS: Google has also launched a recruitment tool called Hire, another service it will presumably shut down in three years.