Project Strobe, what will change after the Google security breach?

Google announced a security breach that may have exposed data of over 500,000 users of its Google+ social network, these are the measures in response to the incident.

Yesterday Google announced a security breach that may have exposed data of over 500,000 users of its Google+ social network.

Security experts and privacy advocated criticized the company because it did not disclose the flaw in the Google+ when it first discovered the issue in March because it feared regulatory scrutiny and reputational damage.

.Now the company in order to prevent potential leakage of sensitive data to third-party app developers implemented significant changes to give users a granular control over the data they allow to share with each app.

Google has updated its Account Permissions system in order to allow users to grant individual permission rather than grant a full set of permissions at once.

The company introduced several changes as a result of the work of its internal group Project Strobe, an internal task force charged of conducting a companywide audit of the company’s APIs in recent months.

The team reviewed the third-party developers access to Google account and Android device data, the IT giant has changed the way permissions are approved for Android apps to prevent the abuse and potential leakage of sensitive call and text log data by third-party developers.

While the apps are only supposed to request permission those are required for functioning properly, any Android app can ask permission to access your phone and SMS data unnecessarily.

The new rule is part of the Google Play Developer Policy and aims to prevent the abuse of Call Log and SMS permission usage to your “default” phone or SMS apps only.

“Some Android apps ask for permission to access a user’s phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions.” reads a blog post published by Google on the Project Strobe.

“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.),”

Google has also limited access to Gmail API only for apps expressly developed to improve/implement email features, including email clients and email backup services.

The measure aims at limiting APIs access to data from your Gmail email account.

What will happen from today?

The developers will have to update their application in compliance with the new policy within January 6th, 90 days from now.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – Google, Project Strobe)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.