Google is making its web application requirements more stringent after a phishing attack tricked lots of Gmail users this past week. The changes mean Google is altering its app publishing process, how it assesses risk, and the look of its user-facing consent page. Users really won’t be affected, at least as far as how they use the email service and apps, but developers might face delays in publishing their web app.
For instance, Google is going to be more intense about its risk assessment, which means some web apps might require a manual review. That app won’t be able to receive user data permissions until the review is complete, which could take up to a week. The company is also making sure developers don’t register an application or modify an existing one to mislead users. Last week’s phishing attack was so successful because the attacker named his web app “Google Docs” and recreated the legitimate company’s UI.
These developer-focused changes follow Google’s immediate actions taken after the phishing attack. That same day, it removed the fake pages, pushed updates through Safe Browsing, and put its abuse team on the case. As Russell Brandom wrote for The Verge last week, Google’s renewed security focus might help prevent future attacks, but going forward, all companies are going to have to rethink how they work with developers to make apps while also keeping users safe.