A few months ago, Symantec’s Modern OS Security team published findings on an evolving mobile security threat: apps misusing OAuth, an open standard for access authorization, could put corporate data at risk. Our research found that well-known iOS and Android apps used in enterprise are using OAuth to gain persistent access to sensitive user data in Google services such as Gmail, Google Drive and Google Calendar. While the apps themselves may not be inherently risky, they request permissions (scopes) to access sensitive data that is not always necessary for their main functionality. Additionally, we found that, depending on the requested scope and access type, an app can ultimately keep a user authenticated forever and continue accessing personal and enterprise data in G Suite apps, even when the app is no longer installed on the user’s device.
Now, Google has taken steps to mitigate the risk – good news for both end users and admins. We see this as a great example of how different players across the industry can share the goal of finding solutions to today’s app security challenges.
Specifically, earlier this month, Google announced two new updates to its G Suite OAuth Token Audit API, focused on giving enterprises more visibility and control over how third-party apps use G Suite APIs they’ve been granted.
Analyzing these monitoring logs can help admins detect and prevent some of the OAuth security concerns found in our research.
The first update is the addition of a “scope_data” field to the two existing “authorize” and “revoke” events. Previously, admins could use these events to see only which apps had been granted access to scopes and which had their access revoked. Now, with the new “scope_data” field, an app’s authority/access level can be monitored more thoroughly. Analyzing these monitoring logs can help admins detect and prevent some of the OAuth security concerns found in our research. For example, if admins have a list of active apps on corporate devices, they can identify any unauthorized access by third-party apps. Admins can then revoke such access and prevent sensitive data in G Suite from being leaked by apps that have been removed from a device.
Moreover, Google has introduced a new event called “Activity” to the Reports API and Reports section of the G Suite Admin console. The event shows method names being called on behalf of users via OAuth grants. This means enterprises can now monitor apps’ behavior on a granular level and identify those apps which make sensitive API calls on a user’s behalf, such as permanently deleting email threads.
Together, these updates enable admins to better see which apps have unauthorized access, what they can access and when, and then revoke the access token if necessary.
Google’s OAuth token audit additions provide a new way to mitigate OAuth misuse risk, and it is a welcome update. However, app developers must also shoulder the weight of reducing the risk. Coding best practices exist – such as avoiding sensitive permission requests in offline mode or following an incremental authorization practice – but they have largely been a recommendation and not a requirement of developers. Rather than relying solely on operating system vendors, app developers or any single source to mitigate mobile threats, we believe the most effective solutions will come from a partnership of stakeholders, including security providers, developers, OS vendors, enterprises and their end users, working together to create a more secure mobile ecosystem. At Symantec, we value such initiatives and continue to work with our partners to consistently provide value to users.