14 DAY TRIAL // Following the famous Gmail phishing attack from just a few days ago, Google has decided to make it more difficult for apps to get access to people's data.
The company has announced that new applications that request access to user data will, from now on, face more scrutiny. Some of these apps may even “qualify” for a manual review due to Google's enhanced risk assessment.
“Until the review is complete, users will not be able to approve the data permissions, and we will display an error message instead of the permissions consent page. You can request a review during the testing phase in order to open the app to the public. We will try to process those reviews in 3-7 business days. In the future, we will enable review requests during the registration phase as well,” Google informs developers.
Developers will continue to use their apps for testing purposes even before they get approved. They'll need to log in with an account registered as owner or editor of the project in the Google API Console. From there, they'll be able to add more testers and to start the review process.
To add an extra layer of security, Google has updated the app identity guidelines. In them, it states that apps must not mislead users, which also indicates that they need to have unique names and not copy other apps, which is something that has happened countless times already.
“These changes may add some friction and require more time before you are able to publish your web application, so we recommend that you plan your work accordingly,” Google says.
Multiple changes to increase security
The changes come as a result of the attack that took place a few weeks ago. Gmail users started receiving phishing emails pretending to be from someone they knew who was looking to share content with them on Google Docs. A link took people to a login page where a fake Google Docs app requested permission to people's contacts and emails.
The attack was stopped within an hour and the company said that less than 0.1% of Gmail users were even impacted by the incident. The company has already tightened OAuth rules, its anti-spam systems, and more.