This article was published on October 9, 2018

Google is issuing stricter guidelines for devs after Google+ security debacle


Google is issuing stricter guidelines for devs after Google+ security debacle

Last night, Google decided to shut down Google+ after the Wall Street Journal reported that the company discovered a critical bug in the platform, and decided not to disclose it. Google’s VP of engineering Ben Smith said that nearly 500,000 users might have been affected but the company didn’t find any instance where any developer took advantage of the vulnerability.

To avoid this kind of incident in the future, Google is launching a new initiative called Project Strobe, which outlines tighter guidelines for developers using Google services and accessing the company’s APIs in their apps. Here are some of the changes which will impact devs and users the most:

  • Google is offering granular control of Google services accessed by an app to users. Following the Android permission model, apps will have to get permission separately for each service they use.Here’s an example: An app could previously get access to a user’s Google Drive and Google Calendar by requesting it from the user in a single prompt. But now, it has to request permission for each of these two services separately. Developers can get more information about the change here.

  • The company is also limiting access to Gmail services to certain apps like email clients, productivity suites, and email backup managers. Additionally, Google has issued new guidelines for developers to modify their apps.Apps using Gmail API will go through a stricter review process after January 2019, particularly on the grounds of security, fair usage of Google’s APIs, and user data management.
  • Google Play will limit Android apps using SMS and phone data to avoid misuse of that information. Only apps set as the default for calling and texting will have access to this data, with the exception of voicemail and backup apps.
  • Google is also separating contacts interaction data – which is used to determine recent and frequent contacts – from the Contacts API. This means that a lot of apps using SMS for authentication may have to change their code.

Smith said that in the coming months, the company will roll out additional controls for users and updated policies for developers:

Our goal is to support a wide range of useful apps, while ensuring that everyone is confident that their data is secure. By giving developers more explicit rules of the road, and helping users control your data, we can ensure that we keep doing just that.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

While Google seems to be getting more serious about security, its decision to hush up the major Google+ bug might sow seeds of doubt about how much the company really cares about its’ customers’ data. The Mountain View company surely wouldn’t want to end up facing backlash like Facebook has in recent times.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with