Google has moved to bolster the security of its G Suite productivity apps with new warnings over “unverified” third-party apps. The new procedure is in response to a recent phishing scam involving a bogus Google Docs link being distributed via email.
In a blog post, Naveen Agarwal, a member of Google’s Identity team, and Wesley Chun, developer advocate for G Suite, said that Google was rolling out an ‘unverified app’ screen for newly created web applications and Apps Scripts that require verification.
“This new screen replaces the ‘error’ page that developers and users of unverified web apps receive today,” they said.
This new “unverified app” screen comes before the permissions consent screen for the app and lets potential users know that the app has yet to be verified. This will help reduce the risk of user data being phished by bad actors, Google claimed.
According to Google, the new notice will also help developers test their apps more easily.
“Since users can choose to acknowledge the ‘unverified app’ alert, developers can now test their applications without having to go through the OAuth client verification process first,” said Agrawal and Chun.
Google is also extending these protections to Apps Script. As of last week, Apps Scripts requesting OAuth access to data from consumers or from users in other domains may also see the “unverified app” screen.
“Apps Script is proactively protecting users from abusive apps in other ways as well. Users will see new cautionary language reminding them to ‘consider whether you trust’ an application before granting OAuth access, as well as a banner identifying web pages and forms created by other users,” said Agrawal and Chun.
Google said it will extend the verification process beyond newly created apps, to existing apps as well. As a part of this expansion, developers of some current apps may be required to go through the verification flow, according to the blog post.
Agrawal and Chun said that it was recommended that developers verify that their contact information is up-to-date. “In the Google Cloud Console, developers should ensure that the appropriate and monitored accounts are granted either the project owner or billing account admin IAM role,” they said. “In the API manager, developers should ensure that their OAuth consent screen configuration is accurate and up-to-date.”
This article originally appeared at scmagazineuk.com