Wednesday, March 3, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

G Suite Marketplace primed for a privacy scandal, researchers warn

June 2, 2020
in Internet Security
G Suite Marketplace primed for a privacy scandal, researchers warn
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image: ZDNet

In research presented last month, security researchers said that many of the apps listed on the G Suite Marketplace have access to users’ Gmail and Drive accounts, but also communicate with undisclosed external services, creating the opportunity for secret data exfiltration from Google accounts.

The research, carried out by Irwin Reyes and Michael Lack of Two Six Labs, analyzed the permissions requested by third-party Google apps listed on the G Suite Marketplace.

You might also like

Linux Mint may start pushing high-priority patches to users

Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

Google addresses customer data protection, security in Workspace

Reyes and Lack said they used an automated script to install all the 1,392 apps listed on the G Suite Marketplace on January 2, 2020, on a test Google account and then record the permissions each app requested.

The duo said they found that of the 1,392 apps they tested, 405 failed with various errors. Of the 987 apps that could be installed, the researchers said that 889 apps required access to user data via Google APIs, and hence, triggered a permission request.

gsm-chart1.png

Image: Two Six Labs

Of these 889, almost half (49%), accounting for 481 apps, requested permission to communicate with external services, creating a bridge between a user’s sensitive Drive and Gmail data and the outside world.

The research team says that of these 481 apps that could bridge to with the outside world, 103 (21% of 481) could access and interact with Google Drive files, 81 (17%) could access and interact with email inboxes, and 15 (3.0%) could access and interact with calendar data.

However, while some add-ons had legitimate reasons to connect to external services, for some, this was unclear. In fact, in most cases, researchers said this was very unclear.

Reyes and Lack say that beyond app descriptions and privacy policies voluntarily provided by the app developers, users don’t have any insight to which external service a G Suite apps may be communicating with, or the nature of the communication.

gsm-permissions-explained.png

Image: Two Six Labs

Unverified apps pose a danger to Google users

But the issues don’t stop here. Researchers said they’ve also spotted a second problem with the G Suite Marketplace’s review process.

This review process is mandatory for all apps submitted to the marketplace and especially for apps that make API calls that Google classifies as either sensitive or restricted.

The review can range from 3 to 5 days for apps that make “sensitive” API calls, or from 4 to 8 weeks for apps that make “restricted” API calls that interact with a user’s Gmail or Google Drive data.

Because this creates long turnaround times for apps submitted for review, Google allows app developers to list apps as “unverified” on the G Suite Marketplace.

To reduce the danger of listing “unverified” apps, when users try to install any of these apps, Google also shows full-page messages that warn users of the danger of installing a potentially dangerous app that has not yet passed through its review process.

gsm-unverified.png

Image: Two Six Labs

In addition, as a secondary precaution, Google also limits “unverified” G Suite apps to no more than 100 installs until they pass the review process.

However, the research team says that during a second scan of the G Suite Marketplace that they carried out on January 18, 2020, 16 days later after their initial research, they found that many unverified apps had gained more than 100 users as they awaited to be reviewed, suggesting that Google was not enforcing its “100 new users” hard limit.

Researchers recommend moving to install-time permissions

The Two Six Labs team argues that many of the same issues that plagued Facebook’s third-party app ecosystem now impact Google’s G Suite Marketplace, which may soon result in malicious apps being uploaded on the store for the sole purpose of collecting data from Google users (most of which are enterprise users of Google’s G Suite package).

Reyes and Lack say that one way to address this issue is if Google moves from prompting users for permissions when the app is installed to when the app is first used.

Moving from install-time permissions to run-time permissions has a proven record for improving users’ ability to spot intrusive apps, and is a technique that Google itself also previously employed to improve the security of the Android app ecosystem.

The team’s research was presented last month at the 41st IEEE Symposium on Security and Privacy Workshops. A draft of their research paper, entitled “API Privacy: A Look at G Suite Marketplace Permissions and Policies,” is available in PDF format here or here.

gsm-permissions.png

Image: Two Six Labs

Credit: Zdnet

Previous Post

Ahana gets seed funding, and a tale of two Prestos

Next Post

Signifyd Launches New Machine Learning Solution to Enhance Authorization-Stage Order Approvals for Enterprise Retailers

Related Posts

Linux Mint may start pushing high-priority patches to users
Internet Security

Linux Mint may start pushing high-priority patches to users

March 3, 2021
Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root
Internet Security

Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

March 3, 2021
Google addresses customer data protection, security in Workspace
Internet Security

Google addresses customer data protection, security in Workspace

March 2, 2021
Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC
Internet Security

Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC

March 2, 2021
Scientists have built this ultrafast laser-powered random number generator
Internet Security

Scientists have built this ultrafast laser-powered random number generator

March 2, 2021
Next Post

Signifyd Launches New Machine Learning Solution to Enhance Authorization-Stage Order Approvals for Enterprise Retailers

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Cloudera: An Enterprise-Level Play On Machine Learning And Big Data – Seeking Alpha
Machine Learning

Cloudera: An Enterprise-Level Play On Machine Learning And Big Data – Seeking Alpha

March 3, 2021
The Symbolic World: Raising A Turing’s Child Machine (1/2) | by Puttatida Mahapattanakul | Feb, 2021
Neural Networks

The Symbolic World: Raising A Turing’s Child Machine (1/2) | by Puttatida Mahapattanakul | Feb, 2021

March 3, 2021
Top 10 ‘Brand Guardian’ Most Famous, Most Reputable CEOs
Marketing Technology

Top 10 ‘Brand Guardian’ Most Famous, Most Reputable CEOs

March 3, 2021
Linux Mint may start pushing high-priority patches to users
Internet Security

Linux Mint may start pushing high-priority patches to users

March 3, 2021
Microsoft Ignite Data and Analytics roundup: Platform extensions are the key theme
Big Data

Microsoft Ignite Data and Analytics roundup: Platform extensions are the key theme

March 3, 2021
An open-source machine learning framework to carry out systematic reviews
Machine Learning

An open-source machine learning framework to carry out systematic reviews

March 3, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Cloudera: An Enterprise-Level Play On Machine Learning And Big Data – Seeking Alpha March 3, 2021
  • The Symbolic World: Raising A Turing’s Child Machine (1/2) | by Puttatida Mahapattanakul | Feb, 2021 March 3, 2021
  • Top 10 ‘Brand Guardian’ Most Famous, Most Reputable CEOs March 3, 2021
  • Linux Mint may start pushing high-priority patches to users March 3, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates