In an effort to cut off an avenue used in some phishing attacks, Google is planning to block authentication attempts from some apps that use embedded browser frameworks in the near future.
Google is hoping the move will help stop some forms of man-in-the-middle (MITM) attacks, which adversaries use as a way to capture credentials and then sign in to victims’ accounts. There are any number of different MITM attacks, but they all rely on the ability to establish a position between the victim and the service she is trying to log into.
“MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in. Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June,” Jonathan Skelker, a product manager for account product security at Google said in a post announcing the change.
As old and well-researched as it is, phishing is still one of the more effective techniques for adversaries looking to steal user credentials. Many of the phishing campaigns that circulate these days are highly professional and are based on considerable reconnaissance and understanding of the target organization or group. Modern phishing emails now often include details that are specifically tailored for a given victim and come with attachments that look completely legitimate. These are not the desperate, amateurish emails pleading for money to get out of London or offering millions of dollars from an African prince. Phishing is big business, and a highly effective tactic for cybercrime groups and nation-state attackers alike.
Google’s move means that apps that use embedded browser frameworks will need to find a new way to enable users to sign in to their Google accounts. Embedded browser frameworks are simplified versions of mobile browsers designed to enable app developers to include a subset of browser functionality. Apps that make use of them will hit a wall with Google in a few weeks, and the way around that wall is with OAuth, Skelker said.
“The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” he said.
OAuth is a protocol used for federated authentication in many mobile apps, enabling individuals to authenticate to a service by using their credentials from a third-party service, such as Google or Facebook.