Recent research carried out by Irwin Reyes and Michael Lack of Two Six Labs involved extensive analysis of permissions requested by third-party Google apps listed on the G Suite Marketplace. The duo claims they discovered many of the apps failed to install correctly on a test Google account, while almost half requested permission to communicate with external services, creating a bridge between a user’s sensitive Drive and Gmail data, and the outside world. For quite a few apps, the data connection was unclear, and the reasons weren’t mentioned openly.
Some Google G Suite Marketplace Apps Have Questionable Permissions Requests And Unclear Connection To External, Undisclosed Services?
Researchers Reyes and Lack said they used an automated script to install all the 1,392 apps listed on the G Suite Marketplace on a test Google account. They proceeded to record the permissions that each of the apps requested. From the 1,392 apps they tested, 405 failed with numerous errors. From the remaining 987 apps that could be installed, 889 apps required access to user data via Google APIs. Needless to add, this triggered a permission request that the majority of users usually grant. It is concerning to note that almost half or 481 apps from the G Suite Marketplace requested permission to communicate with external services. This essentially allowed the creation of a virtual bridge between a user’s sensitive Drive and Gmail data and services which were outside Google’s portfolio. Of these 481 apps, 21 percent (103 apps) could access and interact with Google Drive files, 17 percent (81 apps) could access and interact with email inboxes, and 3 percent (15 apps) could access and interact with calendar data.
— Alister Brenton (@AlisterBrenton) June 2, 2020 It is important to add that several add-ons have legitimate reasons to connect to secure external services. However, the researchers claim they discovered an uncomfortably large number of apps did not appear to have a clear reason to establish a connection with external services. It is concerning to note that the users don’t have any insight into which external service the G Suite apps may be communicating. Additionally, there’s no information about the nature and purpose of the communications. Users only have app descriptions and privacy policies voluntarily provided by the app developers to try and understand the reason, purpose, and nature of the communication of a G Suite Marketplace app and an external service.
Google Doesn’t Strictly Implement Restrictions Imposed On ‘Unverified’ Apps?
Apart from the communication with external services, researchers claimed there’s one more concerning issue with the G Suite Marketplace’s review process or its lack thereof. The review process is mandatory for all apps submitted to the marketplace. The process becomes even more stringent and lengthy for apps that make API calls which Google classifies as either Sensitive or Restricted. The review process for apps that make Sensitive API calls can range from 3 to 5 days. Meanwhile, apps that make “Restricted” API calls or interact with a user’s Gmail or Google Drive data can take anywhere between 4 to 8 weeks. To temporarily bypass such a lengthy review and approval process, Google allows app developers to list apps as “unverified” on the G Suite Marketplace. Google merely slaps a warning label in the form of a full-page message that warns users of the danger of installing a potentially dangerous app that has not yet passed through its review process. There’s one more restriction that attempts to limit “unverified” G Suite apps to just 100 installs.
— Catalin Cimpanu (@campuscodi) June 2, 2020 However, researchers claim they found that many unverified apps had gained more than 100 users as they awaited to be reviewed. This strongly suggests that Google is intentionally relaxing the “100 new users” hard limit. Such practices or poor implementation of policies could easily give rise to malicious apps being uploaded on the store with the sole purpose of collecting data from Google users. The majority of Google’s G Suite package users are from the enterprise sector. This significantly raises the risk of social engineering hacks and similar attacks. The researchers suggest moving the process or seeking and granting permission from the install procedure to the time the apps actually need particular permission for the first time. Reyes and Lack claim, moving from install-time permissions to run-time permissions, significantly improves the chances of users noticing suspicious apps and backtrack or deny granting permission.