
Google launches new security features to protect users from unverified apps - workerthread
https://techcrunch.com/2017/07/18/google-launches-new-security-features-to-protect-users-from-unverified-apps/
======
otp124
I like the forced UX of typing something, though "continue" might be glossed
over. It would be an interesting study to determine if typing "I know the
risk" is a better safety mechanism for users (can be A/B tested for less pass-
through events) than "continue".

~~~
askvictor
Typing something unique (eg the name of the app) might also be useful as it
forces some cognitive processing.

~~~
Moru
Or "I allow LeetHaxorApp to access all my data"

But I guess that is a bit too much typing for most people.

~~~
timlyo
Might be a good thing for apps that try and looking like something else,
G00GLE or FACEB00K could be missed, but having to type a zero manually instead
of an O would (hopefully) eliminate that.

~~~
askvictor
Nice, though it would probably just cause confusion for a heap of people, and
would result in them not installing the app (good) and blaming Google for it
(bad for their brand).

I would have thought by now it would be pretty easy for algorithms or AI to
pick up on these kinds of tricks, whether by a similarity score or an image
processing approach.

------
philo23
I'm not sure I'm a fan of the way Google is re-using the Chrome error page
styling for this, but I can't put my finger on why exactly...

~~~
martin-adams
Because you associate it with an error that you have no control over? I find
that I'm tuned to recognise patterns of behaviour, so when the patterns look
similar to other things, but aren't the same, it's quite confusing.

~~~
samtoday
It is literally training users to dismiss these kind of errors. In Chrome,
these errors are really bad, like a safebrowsing warning or a TLS error.

On the other hand, this warning will probably happen a lot! Is Google going to
be able to "validate" apps fast enough?

------
ComodoHacker
I just can't shrug off the thought that manual review approach is a lost game
in the long run. It's a process than requires skilled human and can't be fully
automated while generating malicious code perfectly can.

~~~
eterm
Tasks of classifying things (in this case into "approved" or "rejected") that
humans can routinely do but machines find difficult are areas where ML shines.

Human reviewers today, but once the training set is large enough you can start
to let computers take over with human reviewers reviewing the lower certainty
cases until the certainties rise further.

~~~
ComodoHacker
I bet we first hear about ML shining at generating malicious code obfuscated
as legit.

------
pietroalbini
Does this also appear on websites only using Google OAuth for authentication,
requesting only the email address?

~~~
eeveewoofwoof
No, it doesn't appear for email/basic profile scopes.

~~~
akuji1993
Thanks for that info, if it's setup like this it doesn't affect me at all
instead of being really annoying to work with (since most of my apps are still
in development).

------
Walf
But they still don't let you create app-specific passwords/tokens without
enabling 2FA. How they think enabling "less secure apps" is better is beyond
me. Trying to force an office full of luddites into 2FA does not go down well.

------
pkamb
> Type Continue to go to example.com

User types "continue"

~~~
pbhjpbhj
More like "malware app that user installed to type continue at all such
prompts types 'continue'".

------
mrkrabo
In case you don't feel like clicking, this doesn't concern Android apps, but
OAuth apps that want access to your Google account.

~~~
kyrra
It's also worth noting that this likely would stop phishing attacks like the
one that happened earlier this year.

[https://www.theverge.com/2017/5/3/15534768/google-docs-
phish...](https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-
attack-share-this-document-with-you-spam)

[https://news.ycombinator.com/item?id=14258918](https://news.ycombinator.com/item?id=14258918)

~~~
TomAnthony
I reported a bug to Google just a couple of days, which is very similar to
this.

It allows an attack to present a user with a real Google 'account select' page
with their account listed, but if they click that link it actually redirects
them to another site (which you can dress up to look like the password page
the user is expecting).

It is arguably worse than the previous issue, as I don't need a hoax
extension, I can just manipulate the link to inject the malicious redirect
behaviour.

They have triaged it and I'll probably write up a report once they are happy
for me to do so.

~~~
Buge
I'm not sure it's worse, since it requires users to type their password into a
non- google.com domain. Whereas the oauth phishing, everything was on
google.com so it looked legit.

~~~
TomAnthony
That is a good point. The flip side is having the account password is far more
devastating.

------
rallycarre
No point 0Auth apps if google has access to it. Rather pay for my e-mail
service than to use google, whose source of revenue is directly in conflict
with my interest of privacy and security.

I highly recommend protonemail.com. Has all the bells and whistles and its
major feature is user privacy and security.

~~~
paradite
I see that you don't use ProtonMail often.

------
cft
Google has become the judge, the jury and the executioner of the internet.
Recently a malicious user embedded an image from a site that is on Google's
Safe Browsing list in a forum that is itself embedded on a third party site.
This nuked a popular third party site where the forum is embedded: it is now
flashing red (malicious software detected) in Chrome.

~~~
adtac
I was wondering how HN would spin this into Evil-Google. It's just tiring at
this point. This is a perfectly valid security guard that protects their
users.

~~~
blojayble
Where does this attitude stem from anyway?

~~~
xiaoma
I think it really started when Google made its ill-spirited push to make
everyone use Plus[1]. Before that point, Google was mostly beloved and most
users were truly grateful for Google's free products. After that push, many
lost YouTube accounts (including me), people who didn't even want to use Plus
for chats were pushed to that page as the popular Google Talk app was killed
(and then later forcibly moved from plus.google.* to hangouts.google.*).

In a fairly short period of time, people started seeing the same kind of
"We're in charge and you're going to use _____ and like it!" attitude that
Microsoft was once famous for. People wanted Plus about as much as they wanted
Vista, but it got shoved on them anyway.

In more recent years—with AMP pages (and authors on Plus) getting an edge in
search, google.com badgering users to install Chrome, a successful
embrace->extend->extinguish strategy being executed against open source
Android, etc—moves like this one don't look so innocent as they would have
coming from the smaller, goofier and cheerier Google of 2005.

1: [http://www.businessinsider.com/larry-page-just-tied-
employee...](http://www.businessinsider.com/larry-page-just-tied-employee-
bonuses-to-the-success-of-the-googles-social-strategy-2011-4?op=1)

