We saw a serious Google Docs phishing scam this month that resulted in the loss of user account data on a huge scale. It was entirely achieved by an app that was merely masquerading as Google Docs, which shows a number of trust people have put on Google apps and services. Now, Google has implemented further changes to secure user data even better.
Announced on the Google Developers Blog, the main aim of these changes is to prevent a similar attack in the future. They involve updates to the developer identity guidelines, risk assessment and the user-facing consent page. For instance, app names are now to be unique to the application and not similar to other applications. To enforce these changes, Google is currently modifying their app publishing process. Due to this, developers might see error messages while uploading new applications or making changes to existing ones.
To further ensure data security, Google has made it harder for web applications to request Google account data through OAuth authorizations. Some of them might require manual review, until the completion of which users won’t be able to provide data permissions to said app. Google has advised developers to seek a review during the testing phase itself, which will take roughly 3-7 days on their end. In the future, such requests will also be enabled during the registration process.
When the phishing scam was detected, Google ensured prompt action through manual and automated measures. Most importantly, they halted the threat within an hour and as a result, less than 0.1% of Google users were affected by it. Google has always put a high emphasis on security for their developers, and with these changes, their app and OAuth system is going to make it even harder for such scams to take place in the future.