Why Gmail’s app developer policy could mean a security risk for you

The terms of service we hurriedly agreed to keep coming back to haunt us.

Last Thursday, the Wall Street Journal reported that Google confirmed previous reports about the far-reaching access third-party apps can have to Gmail users’ accounts and personal emails.

When you download an app, it might request access to your Gmail account. But what you might not realize when you grant access is that these apps may analyze your Gmail data — including the content of your emails — for their product, and potentially for targeting ads. Apps are also allowed to share your information with third parties, as long as Google determines that it adequately discloses that to users. The Journal previously reported that “hundreds” of apps can scan the email of “millions” of users.

Google says it reviews apps to make sure they are clearly communicating what they have access to. But unless Gmail users are diligent, security experts that Mashable spoke with say the policy potentially exposes people in ways they may have not consented to or understood. 

Several experts said that app developers’ access to user data is more than just potentially creepy or invasive, though. Giving an app access to your Gmail can expose received emails as well as sent emails. So, because the policy could expose both your and your friends’ data, app access to Gmail could create a security risk similar to the mechanism that allowed for Facebook’s Cambridge Analytica scandal. 

In that instance, a researcher used a third-party app, downloaded by 270,000 people, to gather data on all 87 million Facebook users in their friend networks, and then sold the data to a company (Cambridge Analytica) that used it to engage in political advertising. So, similarly, if you happen to send an email to a Gmail user who has given an app permission to read their emails, not only can that app see your correspondence and information — but a further removed third party can also see your emails, without you having ever given consent to either party.

“I do not see what is to prevent this type of access to be abused and misused in a similar way to Cambridge Analytica,” Brian Honan, a cybersecurity consultant for major banking companies who used to work with Europol, said. “Third-party apps with access to peoples’ accounts can expose a lot of personal data about those persons which could be used to target subsequent adverts or messages to them.”

The policy

In a letter, Google reportedly told Congress that when Gmail users grant apps access to their accounts, they may — perhaps inadvertently, if they do not read the terms closely enough — allow these apps to harvest their personal information. Apps can then use what people talk about in their emails, along with demographic and other information, to target their advertising. Google lays out the policy here.

Further, under Gmail’s rules, developers are then allowed to share Gmail users’ data with still other external parties. Google says that it vets the apps, and allows this data sharing as long as it determines that the developers are adequately disclosing the activity. 

Gmail itself ended the practice of using the content of people’s emails for ad targeting in July 2017. But it has apparently kept the ability in place for outside parties — so long as users “consent.”

Experts say this portion of Gmail’s app developer policy is concerning for several reasons, on the fronts of both security and privacy.

“Without technical controls built in, app vendors are going to get to wherever they can within the platform, and within user accounts,” Rebecca Herold, a top information security expert and consultant to multi-national corporations, who is also known as “The Privacy Professor,” said. “That’s what the apps are designed to do, to gather data. These companies need to build a more rigorous set of controls to prevent that from happening.”

Security

The most straightforward problem with Gmail’s policy is the security vulnerabilities it could open users up to.

“All of these third-parties have been vetted by Google, but the reality is that every company is vulnerable to data breaches,” said Gary Davis, McAfee’s chief consumer security evangelist. “The more an individual or company shares personal data, the greater the likelihood of that information falling into malicious hands.”

“From a cybersecurity aspect, you don’t know how well those third-party apps have been vetted by Google”

Google stresses that it carefully reviews apps and employs sophisticated malware-detecting filtering technology. And, if you’re downloading an app from Google Play or the App Store, the chances of encountering a malicious app are low (though still possible). But people can and do download apps outside of these ecosystems. 

In those cases, Google’s data-collecting policy could allow for malicious apps to gain access to and undermine people’s accounts — especially on Android. Herold noted that some of the app policies allow for apps to “inject information, edit, and upload” in your account, which could lead to malware sending spam emails on your behalf. And access to personal emails could enable bad actors to craft more convincing and targeted phishing emails. 

“Google claims to have processes and systems in place to identify and remove malicious apps from its store, but despite these measures, malicious apps still are found regularly in the store,” Honan said.

“From a cybersecurity aspect, you don’t know how well those third-party apps have been vetted by Google,” said Herold.

The privacy onus

While malicious apps may pose a security risk, legitimate apps that simply want to use your data for advertising may actually be the larger issue.

Currently, the technology industry is undergoing a shift in who bears the responsibility for securing a user’s privacy. Up until this point, the onus to protect one’s privacy has been on users — which reflects Gmail’s current policy with app developers.

But thanks to the General Data Protection Regulation (GDPR) in Europe, the practice of making people consent to giving away their data by burying consent in terms and conditions is coming under scrutiny. Gmail’s own policy change about not parsing emails for the sake of advertising data reflects this sea change. And Google recently prompted its users to more proactively review security settings.

But the company’s stance toward apps that have access to email reflects an outdated, and vulnerable, approach to privacy.

“It seems like a lazy way for them to address this,” Herold said. “They’re trying to push off responsibility to those who use Gmail instead of Google taking active steps to actually secure Gmail and limit what third-party apps can actually do.”

Currently, when people download an app, they may consent to giving that app access to their Gmail accounts — and inadvertently allow apps to read their emails, and provide their data to other companies. The way that people grant permission may be clear and forthright, especially if it takes place in a Google ecosystem. But the ways that people give consent vary from device to device, and from app to app. That means that Gmail is technically covered, from a legal standpoint. But hasty app-downloaders who rush through permissions might not be.

Currently, Gmail users can review and revoke access to apps at myaccount.google.com. But McAfee’s Davis says that Google should make it easier for users to control who has access to their data within Gmail.

“The most significant part of this really boils down to individual preference,” Davis said. “In our busy lives many people value the ability to have ads served up that align with their individual needs. However, there are also many people who feel this is a breach of their privacy. Allowing Gmail users to opt in or out in a more visible way could help support the needs of consumers from both ends of the spectrum.”

Cambridge Analytica: Gmail edition?

What made Cambridge Analytica such a large-scale disaster was the ripple effect. Only about 270,000 people downloaded the app. But those people gave researcher Aleksandr Kogan access to data about all of their Facebook friends, which means he ultimately had data on 87 million people. 

Similarly, apps that have received permission to access a person’s inbox see their whole inbox — not just the emails written by the one person who gave consent for access. That means these apps could have access to the emails and contact information of whoever an individual corresponds with. They might not get access to all the profile data, as with Cambridge Analytica, but they would still be able to learn people’s names, emails, and other personal information.

Herold thinks that building in specific controls to safeguard people’s informations should fall to Gmail, rather than just relegating privacy policy to dense legal agreements.

“Internet companies need to have preventive security controls built into their platform so they can block access to specific areas of their users accounts,” Herold said. “Facebook didn’t do that. Their contract left their infrastructure wide open, and it sounds like Google’s doing that too.”

And with Cambridge Analytica, Kogan was technically not allowed to share his data with additional parties. But with Gmail, this is acceptable — as long as apps disclose what they’re doing.

“The biggest distinction is transparency,” Davis said. “Gmail developers are required to be transparent with how they use Gmail data, whereas the issue with the Cambridge Analytica scandal was a lack of understanding of who had access to what data.”

That monitoring and transparency process should protect Gmail users. But only if they have actually taken the time to read what they’ve consented to. 

And, as long as nothing goes wrong.

“The problem with depending on contractual requirements is that they’re not information security controls in and of themselves,” Herold said. “From a privacy standpoint, you have no idea what those apps might be accessing, taking, and using elsewhere. The unknown is the biggest risk.”