Google today started rolling out new warnings for G Suite and Apps Script to inform users about the potential dangers of new web apps. The company also plans to expand its verification process to existing apps “in the coming months.”
Although Google won’t say so explicitly, this is a response to the widespread “Google Docs” phishing email that affected many Google users in May. At the time, Google disabled the accounts responsible for abusing the OAuth authorization. A week later the company tightened the review process for web apps that request user data, and earlier this month it beefed up G Suite security with OAuth apps whitelisting. Now the company is preparing new warnings for unverified apps.
Starting today, G Suite users will see a new “unverified app” screen for new web applications and Apps Scripts that require verification. This interstitial precedes the permissions consent screen for the app and replaces the “error” page that developers of unverified web apps currently receive. The goal is to let potential users know that the app has yet to be verified in the hope of reducing the risk of user data being phished.
When users try to use an app that needs to be verified, they will be alerted after selecting their account, and then will be directed to the standard consent screen. A side benefit of this is that because the interstitial can be dismissed, developers can now test their applications without having to go through the OAuth client verification process (more information).
Starting this week, new Apps Scripts requesting OAuth access to data from consumers or from users in other domains will also see the above “unverified app” screen (documentation). Additionally, Apps Script users will also see new cautionary language reminding them to “consider whether you trust” an application before granting OAuth access, as well as a banner identifying web pages and forms created by other users.
Again, all of the above is for new apps. For existing apps, Google is recommending that developers verify their contact information is up to date because the company will getting in touch in the coming months. If you’re a developer, make sure the appropriate accounts are granted either the Project Owner or Billing Account Admin IAM role in the Google Cloud Console and that the OAuth Consent Screen configuration is correct in API Manager.