Here’s how Google is revamping Gmail and Android security

Eager to change the conversation from its years exposure of user data through Google+ to the bright and bright future provided by the company, Google has announced some changes in the way permissions are approved for the Android applications. The new process will be slower, more deliberate and, surely, safe.

The changes are part of "Project Strobe," an "access root revision of external developers to Google accounts and Android device data and our philosophy around accessing application data." Essentially they decided it was time to update the complex and probably not entirely cohesive set of rules and practices about third-party developers and access to the API.

One of those roots (or perhaps branches) was the error discovered on Google+, which in theory (the company can not tell if it was abused or not) exposed non-public profile data to applications that should have received only the public profile of a user. This, combined with the fact that Google+ never really justified its own existence in the first place, made the service essentially shut down. "The Google+ consumer version currently has little use and commitment," Google admitted. "90 percent of Google+ user sessions last less than five seconds."

But the review team has other suggestions to improve the informed consent process to share data with third parties.

The first change is the most user-oriented. When an application wants to access the data in your Google account, say the contents of Gmail, Calendar and Drive for a third-party productivity application, you will have to approve each of them separately. You will also have the opportunity to deny access to one or more of those requests, so if you never plan on using the Drive functionality, you can simply discard it and the application will never get that permission.

[19659002] These permissions may also be delayed and closed behind the actions that require them. For example, if this theoretical application wanted to give you the opportunity to take a photo to add it to an email, you would not have to ask in advance when downloading it. In contrast, when you touch the option to attach an image, it will ask for permission to access the camera at that time. Google went into a little more detail about this in a post on its developer blog.

Notably, there is only the option to "deny" or "allow", but not "deny this time" or "allow this time", which I find useful when you are not totally on board with the permission in question. You can always reverse the configuration manually, but it's good to have the option to say "it's fine, just this time, weird application".

Changes will begin to be implemented this month, so do not be surprised if things look a little different the next time you download a game or update an application.

The second and third changes have to do with the limitation to which Gmail and messaging data applications can access, and to which applications access can be granted first. .

Specifically, Google is restricting access to this sensitive data for applications that "directly improve email functionality" for Gmail and its default messaging and calling applications for SMS data and call records.

Being annoying for power users; some have more than one messaging application that uses SMS or integrates SMS responses, and this may require that those applications adopt a new approach. And applications that want access to these things may have trouble convincing Google's review authorities that they qualify.

Developers should also review and accept a new set of rules that govern what Gmail data can be used, how they can be used, and what measures they should have to protect it. For example, applications can not "transfer or sell data for other purposes, such as ad targeting, market research, campaign tracking by email and other unrelated purposes." That probably makes some business models go out of business.

Applications that seek to manage Gmail data should also submit a report detailing "application penetration tests, external network penetration tests, verification of account deletion, reviews of the incident response plans, vulnerability disclosure programs, and information security policies. " allowed operations, clearly.

There will also be additional scrutiny of what permissions the developers are requesting to ensure that it matches what their application requires. If you request access to Contacts but do not use it at all, you will be asked to delete it, as it only increases the risk.

These new requirements will become effective next year, with review of the application (a process of several weeks) from January 9; Developers who arrive late will see their applications stop working at the end of March if they do not comply.

The relatively short timeline here suggests that some applications may be closed temporarily or permanently due to the rigors of the review process. Do not be surprised if you receive an update early next year indicating that the service may be interrupted due to Google's or similar review policies.

These changes are only the first results of the recommendations of Project Strobe; we can expect them to appear more in the coming months, although they may not be so surprising. To say that the Gmail and Android applications are used a lot is little, so it is understandable that they are focused first, but there are many other policies and services that the company will undoubtedly find reasons to improve.

Leave a Reply