According to Google, last week’s phishing scam that imitated a Docs invite was quickly countered by existing security measures. The company is now announcing changes aimed at developers to prevent future attacks.
The fact that a third-party app was able to have “Google” in its title — let alone fully copying the name of an existing product — was widely seen as a major flaw.
The company’s app identity guidelines already state that “app names should be unique to your application and should not copy others’.” But to better detect spoofed or misleading app identities, Google has updated its application publishing process, risk assessment systems, and user-facing consent page.
For the time being, this might result in developers seeing an error message when registering new apps or modifying existing ones in the Google API Console, Firebase Console, or Apps Script editor.
Additionally, there is a new review process specifically for web apps that request user data, as well as other restrictions.
This enhanced risk assessment might require that some web apps undergo a manual review. During the process, users will not be able to approve permissions and will encounter an error message instead of the consent page. These initial reviews will take 3-7 business days, with Google eventually permitting earlier review requests during the development process.
As a result of these two changes, the company recommends that developers review the data request guidelines and account for the delays.