In research presented last month, security researchers said that many of the apps listed on the G Suite Marketplace have access to users' Gmail and Drive accounts, but also communicate with undisclosed external services, creating the opportunity for secret data exfiltration from Google accounts.
The research, carried out by Irwin Reyes and Michael Lack of Two Six Labs, analyzed the permissions requested by third-party Google apps listed on the G Suite Marketplace.
Reyes and Lack said they used an automated script to install all the 1,392 apps listed on the G Suite Marketplace on January 2, 2020, on a test Google account and then record the permissions each app requested.
The duo said they found that of the 1,392 apps they tested, 405 failed with various errors. Of the 987 apps that could be installed, the researchers said that 889 apps required access to user data via Google APIs, and hence, triggered a permission request.
Of these 889, almost half (49%), accounting for 481 apps, requested permission to communicate with external services, creating a bridge between a user's sensitive Drive and Gmail data and the outside world.
The research team says that of these 481 apps that could bridge to with the outside world, 103 (21% of 481) could access and interact with Google Drive files, 81 (17%) could access and interact with email inboxes, and 15 (3.0%) could access and interact with calendar data.
However, while some add-ons had legitimate reasons to connect to external services, for some, this was unclear. In fact, in most cases, researchers said this was very unclear.
Reyes and Lack say that beyond app descriptions and privacy policies voluntarily provided by the app developers, users don't have any insight to which external service a G Suite apps may be communicating with, or the nature of the communication.
Unverified apps pose a danger to Google users
But the issues don't stop here. Researchers said they've also spotted a second problem with the G Suite Marketplace's review process.
This review process is mandatory for all apps submitted to the marketplace and especially for apps that make API calls that Google classifies as either sensitive or restricted.
The review can range from 3 to 5 days for apps that make "sensitive" API calls, or from 4 to 8 weeks for apps that make "restricted" API calls that interact with a user's Gmail or Google Drive data.
Because this creates long turnaround times for apps submitted for review, Google allows app developers to list apps as "unverified" on the G Suite Marketplace.
To reduce the danger of listing "unverified" apps, when users try to install any of these apps, Google also shows full-page messages that warn users of the danger of installing a potentially dangerous app that has not yet passed through its review process.
In addition, as a secondary precaution, Google also limits "unverified" G Suite apps to no more than 100 installs until they pass the review process.
However, the research team says that during a second scan of the G Suite Marketplace that they carried out on January 18, 2020, 16 days later after their initial research, they found that many unverified apps had gained more than 100 users as they awaited to be reviewed, suggesting that Google was not enforcing its "100 new users" hard limit.
Researchers recommend moving to install-time permissions
The Two Six Labs team argues that many of the same issues that plagued Facebook's third-party app ecosystem now impact Google's G Suite Marketplace, which may soon result in malicious apps being uploaded on the store for the sole purpose of collecting data from Google users (most of which are enterprise users of Google's G Suite package).
Reyes and Lack say that one way to address this issue is if Google moves from prompting users for permissions when the app is installed to when the app is first used.
Moving from install-time permissions to run-time permissions has a proven record for improving users' ability to spot intrusive apps, and is a technique that Google itself also previously employed to improve the security of the Android app ecosystem.
A Google spokesperson provided the following statement in regards to the research team's report, disputing their findings:
"We have a rigorous process of verification for every application that is submitted to the G Suite Marketplace, and we continue to work with our developers to ensure compliance with our policies. The conclusions in this report do not accurately reflect the stringent third-party data access and privacy protections we have in place to protect our users. For our G Suite customers, we provide admins full visibility and comprehensive controls to manage app access."
The team's research was presented last month at the 41st IEEE Symposium on Security and Privacy Workshops. A draft of their research paper, entitled "API Privacy: A Look at G Suite Marketplace Permissions and Policies," is available in PDF format here or here.
Article updated on June 5 with statement from Google.