Google was hit by a phishing attack last week, as attackers used Google’s web app platform to publish an app seemingly named as ‘Google Docs’, tricking users into thinking that it’s the legitimate Google service.
It took a mere three hours for Google to blacklist the offending web app; the next day, Google rolled out an update for Gmail to better warn users about phishing links.
Today, the Mountain View giant has announced an update to its approach with regards to the publishing process for web apps that request user data.
The company notes that while its API’s user data policy states that “apps must not mislead users” and that their names “should be unique to [the] application and should not copy others”, the process of enforcing this policy have been lackluster. To fix that, Google is updating its web app publishing process, its risk assessment systems, as well as the user-facing consent page for apps.
As far as the average user is concerned – nothing changes. But, developers might notice delays in publishing or modifying their web apps.
As an example, subject to how the new risk assessment process feels about a web app, some web apps might require a manual review by Google before publishing publicly. Developers will have to manually request said review during an app’s testing phase, and Google may take up to 7 days to give its nod; until approved, the app will only work for the owner, editor, and additional testers. The average user will not be able to provide permission to use their data until an app has been approved.
These changes are sure to help prevent a repeat of such phishing attacks. Google didn’t state if any more changes were coming to the user-facing consent page, but hopefully, a change to highlight the app publisher’s name more prominently is in the works.