Skip to main content

Google blocking sign-ins from embedded app browsers to counter man-in-the-middle attacks

Last week at Cloud Next 2019, Google announced that all Android 7.0+ devices can serve as security keys. However, the reality is that most people do not use 2FA, and other methods are susceptible to man-in-the-middle attacks. Google is now working to counter MITM attacks by blocking sign-ins from embedded browser frameworks.

Embedded browser frameworks allow developers to add web browser instances, like Chromium, into their application. This is useful for letting end users sign into an account via a service like Google, Facebook, or Twitter without having to jump to a full browser.

However, there are phishing risks associated with this seamless log-in experience. A man-in-the-middle attack could intercept credentials and second factors in real-time as Google is unable to “differentiate between a legitimate sign in and a MITM attack” in embedded browsers:

However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or another automation platform is being used for authentication.

Google’s solution is to block sign-ins from embedded browser frameworks starting this June. In 2016, the company similarly no longer allowed OAuth requests to Google from “web-views” on Android, iOS, and desktop. Meanwhile, last year, Google required that JavaScript be enabled to run a risk assessment on the sign-in page.

Developers are advised to switch to browser-based OAuth authentication where users are already familiar with signing in. Apps will send users to Chrome, Safari, Firefox, etc. to enter their password, with the necessary authentication information then communicated to the third-party client.

Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices. If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Google on YouTube for more news:

Comments

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com