A new research paper presented at IEEE 41 calls attention to the fact that Google Suites App Marketplace – whose apps are able to tap into the powerful Google API to read contacts, emails, calendar, etc – allows unverified apps to ask for and oftentimes receive sensitive user data. The paper which is titled “API Privacy: A Look at G Suite Marketplace Permissions and Policies,” delves into the risk that bad actors might be gaining access to private or sensitive information from Google users through the Google Suites App Marketplace. Granting a third party access to API data from a service you use a lot, be it Facebook or Google, could result in untold consequences – take the Cambridge Analytica example for instance. With Cambridge Analytica, Facebook’s API was misused to sweep up information from Facebook users and Irwin Reyes and Michael Lack of Two Six Labs went about this research. The paper goes into analyzing analogous risks in the Google Suites Marketplace Apps API access – imagine if there’s an app in the Google Suites App Marketplace like Cambridge Analytica right now?
Research paper looks at Google API permissions distribution in Google Suites App MarketplaceThe researchers programmatically downloaded and installed all the Google Suites Apps that they could – 987 apps in total. They then analyzed how many apps were asking for permission to read user data via Google API. Of the 987 apps, 889 asked for Google API access to read user data, and 49% of those apps also asked to send that data to external third parties. The disclosures over who those third parties are is very murky. Of the apps that got permission to access and share your user data 21% had access to Google Drive, 17% to Google Mail, and 3% to Google Calendar. That’s not necessarily information you want going out to unknown third parties after giving your authorization.
Google allows unverified apps onto the Google Suites App MarketplaceMore alarmingly, the researchers discovered that Google’s policy of allowing unverified apps in the Marketplace is easily abusable despite stated Google policies that are supposed to limit the number of users of such apps to under 100. Apps are allowed to enter the marketplace as unverified while they wait for a manual review; however, there is supposed to be a limit on users which Two Six Labs discovered wasn’t currently being enforced.
Possible solutions to avoid another API-fueled privacy disasterThe researchers advocate for switching from install-time permissions to run-time permissions because install-time permissions are often forgotten after the point of install while run-time permissions would require the user to acknowledge and accept the potentially privacy invading permissions each time it’s used. Another thing that the researchers point out could mitigate risk is to have platform-generated disclosures so that app users are knowledgeable about what external services are receiving their Google information . However, the study does note that their paper only looked into the technical side of the risks and acknowledged that there are additional factors – such as users tending to glance over disclosures – at play when it comes to privacy risk in this marketplace.
Featured image by Google shared via CC By 4.0 SA License.