With Google+ shutting down because of a data vulnerability, Google has been working towards providing users better security for their data.
On Monday, it introduced new policies that aim to provide users a better security for their data. These new policies are focused on Gmail APIs and will go into effect on January 9, 2019. Furthermore, yesterday in its hardware event Google announced that they have integrated the Titan security chip to the newly launched Pixel 3, Pixel 3 XL, and Pixel Slate.
What are the newly introduced security policies?
The following policies will be applied to the apps accessing user data from consumer Google accounts:
Application types allowed to access the covered APIs
Only the following application types will be permitted to access these APIs:
Now users will get additional warnings if they are allowing applications to access their email without regular direct interaction. The applications will also need to re-consent to access user emails at regular intervals.
The right use of user data
According to this policy, third-party apps must access these APIs only to use the data in order to provide user-facing features. They should not transfer or sell the data for other purposes such as ads, market research, email campaign tracking, and other unrelated purposes.
Applications are permitted to use data from a user’s email if they are using it for the direct benefit of a user and not for market research. Also, human review of email data must be strictly limited.
Apps will have to pass assessments to ensure data security
To reduce the risk of data breach, third-party apps handling Gmail data will have to meet minimum security standards. Apps will need to demonstrate secure data handling with a series of assessments. These assessments include:
- Application penetration testing
- External network penetration testing
- Account deletion verification
- Reviews of incident response plans
- Vulnerability disclosure programs
- Information security policies
Accessing only the information you need
Applications will be given limited API access to only the information necessary to implement the application. For instance, if an app does not need full or read access and only requires send capability, they will be allowed to only request narrower scopes so that the app only accesses data needed for its features.
Applications that are accessing the covered Gmail APIs can submit an application beginning from January 9, 2019, and must submit a review by February 15, 2019. These applications will be reviewed for compliance with the policies described above.
After that, developers need to complete a security assessment by a third party assessor for which they will be charged a fee ranging between $15,000 to $75,000. This fee is due whether or not the app passes the assessment.
Titan Security chip comes to Pixel 3, Pixel 3 XL, and Pixel Slate
Google announced in yesterday’s hardware event that they have integrated their in-house Titan Security chip into the newly launched Pixel 3, Pixel 3 XL, and Pixel Slate, making for a more secure experience for users.
Google in a blog post said:
“We’re committed to the security of our users. We need to offer simple, powerful ways to safeguard your devices. We’ve integrated Titan Security, the system we built for Google, into our new mobile devices. Titan Security protects your most sensitive on-device data by securing your lock screen and strengthening disk encryption.”
The Titan Security system was first introduced last year for Google Cloud Platform. It is a low-power, phishing-resistant two-factor authentication (2FA) microchip. This chip is used to secure the lockscreen, strengthen disk encryption, and protect the integrity of the operating system.
Rick Osterloh, senior vice president of hardware, said during the event:
“By combining Titan Security both in the data center and on device, we’ve created a closed loop for your data across the Google ecosystem.”