Investing in the security of our API ecosystem: updates on the security assessment

Google is committed to providing robust tools and controls to help businesses and users keep their information secure. As a part of this, we’ve focused heavily on strengthening the security of the Google API ecosystem by requiring all apps that access consumer data to enhance functionality—such as email clients, backup services and productivity services—to complete a robust security assessment. We require this in addition to other proactive data protections we have in place, like limitations on the use of user data, fine-grained data-sharing controls, automated token revocation, and the advent of G Suite Add-ons. 

Over the past year, it’s been great to see app developers invest meaningful time and energy in complying with our upgraded privacy and security requirements—action that greatly improves the security of our entire app ecosystem and better protects users. Read on for a quick update on the security assessment standards.

About the Google security assessment
First, what is the security assessment? It’s an assessment that conducts real-world vulnerability tests and reviews critical security policies and practices on third-party applications. Any app that accesses consumer data from restricted scopes and sends it to their servers must complete an assessment. This FAQ explains more specifics. To date, developers have used the security assessment to identify and address threats such as:

• Cross-site Scripting (XSS) attacks, which allow attackers to send malicious scripts to unsuspecting users. These typically occur due to inadequate validation of user input. 

• Insufficient authorization controls. After sign-in, users can incorrectly access more information than they should be able to access.

• Improper session handling. After sign-in, session IDs used to track user state are not handled correctly. This commonly occurs when users are not signed out correctly, are exposed in the URL or undergo a session hijacking attack. 

• Inappropriate disclosure of sensitive information, or an app that exposes more information than expected.

In a significant portion of these assessments, developers improved their apps’ security posture by mitigating potential threats and adopting new best practices. We’ve also seen developers implement industry best practices to better manage and store sensitive user data. Here are some examples: 

• Establishing clear ways for researchers to submit discovered vulnerabilities through our API Security Rewards Program;

• Creating processes to help employees respond and remedy data breaches;

• Defining “sensitive” user data, and limiting access to it; 

• Encrypting storage of OAuth refresh tokens, which can limit damage if a data breach does occur;

• Requiring the use of two-factor authentication (2FA) to minimize the risk of phishing.

Looking ahead, we hope to see more apps complete the security assessment. As a reminder, apps that are required to complete the security assessment and have not done so will be subject to having their Gmail API access suspended starting early next year. Those users who are connected to an app that will be suspended will get an email notification warning them of the change. As previously announced, we are also planning to roll this security assessment program out to other apps to improve the security ecosystem, including Google Drive. Stay tuned for updates.